Don’t panic. Depending on the kind of company you are, your risks for GDPR enforcement may vary. Many SMBs with no physical or economic presence in the EU, marketing in the EU, etc. may be at relatively low risk and can implement provisions of GDPR as time and resources permit.
DISCLAIMER: I AM NOT A LAWYER. THIS IS NOT LEGAL ADVICE. CONSULT YOUR LAWYER.
Can’t see anything? Watch it on YouTube here.
Listen to the audio here:
- Subscribe to my weekly newsletter for more useful marketing tips.
- Find older episodes on my YouTube channel.
- Need help with your company’s data and analytics? Let me know!
What companies are at risk from EU penalties, now that the enforcement window is open?
- Targeting people in the EU for business (language, ads, etc.)
- Do business with EU data subjects (people physically located in the EU)
- Have economic presence in the EU (do business, file taxes, etc.)
- Have physical presence in the EU
- Subject to other EU regulations (Privacy Shield, etc.)
If you’re not subject to any of the above – like a pizza shop in Topeka – then your risk to GDPR enforcement penalties is relatively low and the legislation should not be a cause for panic. Implement what you can at the pace you can, even after today’s deadline has passed. If you’re at risk, then hustle as fast as you can to finish your implementation.
Many of GDPR’s requirements are also good for the customer. Implement as many of the provisions of GDPR as you can practically do, especially the ones that are customer-friendly, because it’ll help your business in the long run, regardless of your exposure:
- 72-hour maximum data breach notification
- Privacy as a core feature, not an addon
- Collect minimum required data
- Obtain explicit consent for data uses
- Allow customers the right to be forgotten
- Allow customers the right know their data
- Clear, easy to read privacy policies that tell customers how data is used
Finally, absolutely no one knows for sure how GDPR will actually be enforced until the first court cases are settled. Since today (25 May 2018) is the first day enforcement penalties apply to non-compliant companies, we still have no actual results, no closed cases that give us insights into how strict provisions will be enforced.
What follows is an AI-generated transcript. The transcript may contain errors and is not a substitute for watching the video.
It’s time for that Friday feeling. And today that feeling around the planet is may may, 25.
That feeling today, this panic for a lot of people today is the first day that the European Union can impose enforcement penalties for failure to comply with GDPR the global data protection or general data protection regulation.
opt in email lists, all that stuff. And a whole lot of people are now aware of GDPR that we’re not even though the regulation was passed two years ago today is when the enforcement penalties began. By the way, if you want to know which companies, you probably want to do business with, because they are well prepared, their thoughtful, they put the.
customer first and they have robust internal processes for managing change. But look in your inbox and see who emailed you about GDPR like a month ago or two months ago, or maybe even a year ago who got themselves into compliance sooner rather than later. As opposed to everybody who’s emailing you yesterday and today going well, we’ve updated our stuff, right guys, you kind of wait until the last minute on that one. So the feeling is definitely panic. Some folks left comments on previous YouTube video saying there’s going to link their website entirely which is a little drastic. So let’s talk about
GDPR and and the risks of it. Now that the enforcement penalty window is technically open.
First of all, disclaimer, big disclaimer. I am not a lawyer. This is not legal advice. Consult your lawyer please
if you have legal questions pertaining to your company, particularly about mitigating your risks under
GDPR please consult a qualified lawyer, not a guy on the internet. So
risks risks of enforcement are going to vary based on the kind of company you are. So for example, if you have a physical presence in office, an employee etc within the EU, then yes you have substantial exposure to GDPR
if you have an economic presence, you do business in the EU file taxes in the E like the VA, te you report income
you are targeting people with your marketing either by localizing it to languages in the EU
running targeted ads like Facebook retargeting and stuff in the EU then yeah, I guess what that you you have substantial exposure to GDPR if you’re subject to other EU regulations Privacy Shield, for example.
Yes, you have substantial risk exposure to GDPR and you need to comply with the law to the letter. If, on the other hand, you are Ned’s pizza shop in Topeka, right. And you have a website, you’re not attempting in any way to localize for the you’re not running ads to people in Berlin for your pizza, you couldn’t even get a pizza to Berlin in in a timely manner.
You have no offices or branches or franchises in in the EU
and you don’t really do much data collection, other than maybe an email newsletter, your risk is very low for for enforcement of penalties and fines, because what would have to happen is that the EU would need to pass a judgment against your company and then reach out to a US Court to have the judgment enforced for
a pizza shop in Topeka.
Your risk is super low because the US Court and frankly an EU court aren’t gonna bother right they’re going to go after the big fish though you know if your company makes over a billion dollars a year then yeah you you are might be worth the work if you’re a pizza shop making 25 bucks you know
week on in margin you ain’t worth it
so assessing your risk is is a core part of
compliance with GDPR now that said
many of the provisions of GDPR good things to do they’re good things to do anyway and
complying with them and doing them will position you well for when privacy regulations inevitably change in the United States we’re headed that direction we’ve been headed that direction for a while the issues with Facebook and Cambridge Analytica and stuff has only accelerated our likelihood of implementing privacy regulations as is typical with United States law.
More watered down, because our law tends to favor business much more heavily than favoring the citizen.
So what are the things that you should do, regardless of whether GDPR is a is a high risk for your business or not the 72 hour requirement to notify customers within three days of a data breach. That’s a good thing to do. lets people know, hey, that something happened where, you know, here’s, here’s what we’re doing to remediate it. Building privacy into your systems as a core feature, not an add on, you know, things like hashing passwords in your in your web application and database. That’s a smart thing to do. No matter what
collecting the minimum amount of required data is,
again, a very smart thing to do the less data you have its pitch, essentially you don’t use it, the less that can be compromised in a data breach, collect more relevant data to collect behavioral data as opposed to demographic data collect, you know what pages to people visit on your web.
website is probably gonna be a better signal. Then what company they work for or what their title is obtaining explicit consent for data uses hey we want to use your email address for retargeting cool
let people know that you’re going to do that and that’s not a bad thing to do, let people know if you are going to share their data. That’s an important thing to do the the rights to be forgotten the rights to be able to get a copy of your data, the right to
port your data. Those are all good things to do. And one of the great things about GDPR is that with
the big tech companies having to be globally compliant now for a lot of small businesses, those features that you would have had to spend a lot of money to build are built into a lot of different pieces of software and so that’s a that’s a good thing to be able to do is if a customer says, I just don’t want to hear from you ever again. Delete my information. Okay, gone. You’re out.
And most of all, which I think is.
is a benefit to everybody is clear, easy to read privacy policies that tell customers how the data is used. That’s a good thing to do. That is a good thing to do for people because it tells them what you’re doing with their data and what
what’s going to happen with their data. That’s as a customer, as a consumer, I want to know, hey, if you’re going to sell my data to every
spammer on the planet, I’d like to know that before I sign up for something, and you know, the days of 48 page end user license agreements, in terms of service, the fact that the big companies now have to comply with GDP is requirements that they be easy to read and short.
That’s a good thing. So a lot of these provisions
they’re worth doing anyways, do that do as many as you practically can. And that way in the unlikely event that if you’re a company that has no exposure of any kind in the EU, you’re Ned’s pizza shop in Topeka, right.
And you have no intent of doing business within the EU
if in the highly unlikely event that the European Commission says, Hey, we’re going to pass judgment against you
doing as many of these practices in addition to being good for the customer also shows a good faith effort towards compliance with the resources you have. Now, if you are Citibank, if you are Google, if you are
Trump, hotels International, say,
and you have substantial exposure, you must comply, you must comply, top to bottom you no exceptions. If, on the other hand, if you are not that kind of multinational company, then do your best to comply with what’s available, assess your risk, talk to your lawyer
but know that you’re probably not at substantial risk from GDPR right so don’t panic. comply as best as you can and do the things that are.
good for business. Anyway, they’re good for the customer. Anyway, you can’t lose by helping the customer. So that’s today’s Friday feeling. Again, not a lawyer. This is not legal advice, consult your lawyer and subscribe to the newsletter and the email and the YouTube channel and stuff. And we’ll talk to you soon. Take care. Please don’t panic.
If you want help with your company’s data and analytics. Visit Trust Insights. com today and let us know how we can help you.
You might also enjoy:
- Best Practices for Public Speaking Pages
- How to Set Your Public Speaking Fee
- How To Set Your Consulting Billing Rates and Fees
Want to read more like this from Christopher Penn? Get updates here:
Get your copy of AI For Marketers
Also published on Medium.