August 7, 2018
Think opens in a new windowGDPR (General Data Protection Regulation) doesn’t apply to your organization? You might want to think again.
The regulation could have implications you haven’t considered. And with opens in a new windowrelated regulation being passed in California, it’s wise to take another look at your potential exposure.
opens in a new windowArticle 3 of the GDPR suggests that a non-EU-based company is subject to the new law if it processes personal data of an individual residing in the EU. To assess your current practices, ask yourself these questions:
- Where do we offer goods and services within and outside the U.S.?
- What personal data do we collect and where does it come from?
- How do we collect it and where is it stored?
- Who needs to have access to that information?
- Who’s responsible for that information?
If the answers to these questions leave you feeling like you might, indeed, need to comply, contact your attorney to get an expert opinion.
GDPR and State/Local Governments
It’s unlikely GDPR will apply to state and local governments, but if you do international marketing, you should take a closer look.
For instance, say the City of Raleigh launched a marketing campaign to get people from Germany to visit. “Since the campaign is targeted at people in the EU, it likely would fall under GDPR, which means the government organization or its marketing agency would need to be compliant,” Bailey says. Your take-away: Pay attention to who you’re targeting with your marketing, website, and campaigns. And where those people are located.
Higher Education: GDPR vs. FERPA
Colleges and universities are more likely to fall under GDPR. If your institution has campuses, programs and partners in the EU; if it markets to EU students to study here; or if its students go abroad, you need to pay attention to the regulation.
It’s the same if your faculty and staff do research that uses data from EU residents.
“In these cases, if the institution isn’t complying, what’s at stake isn’t just the penalties, but also the risk of losing the partnership with an EU institution,” Bailey cautions. “It’s also tempting to think that if you comply with FERPA, you’re complying with GDPR, but that’s not necessarily true.” That’s because the US and the EU/UK look at privacy differently. “Here, there’s not a fundamental right to privacy, while in the UK and EU, you do have fundamental right to privacy and to be forgotten.”
Medicine & Healthcare: GDPR vs. HIPAA
HIPAA is a US law ensuring the privacy and security of protected health information. “HIPAA applies to a defined group of ‘covered entities’ – generally health plans, health clearinghouses, and healthcare providers – and their ‘business associates’,” Bailey explains. She adds, “GDPR, on the other hand, has a much broader scope, both in terms of the type of data it applies to – generally, anything that is personally identifiable – and in terms of the entities within its reach – any entity that offers goods or services to citizens in the EU.”
Even if you don’t need to comply with GDPR, re-evaluating your data privacy and protection policies is a good idea. As more nations and states begin to enact their own versions of the regulation, a little advance work can make it easier to know if and how you need to comply.
Good News for WordPress Website Owners
WordPress has created a opens in a new windowGDPR Compliance Team to develop and test data privacy tools for inclusion in the WordPress core. The team is focusing on creating a comprehensive core policy, plugin guidelines, privacy tools, and documentation.
In the meantime, want to know more about making your WordPress website GDPR compliant? We recommend these reader-friendly resources:
- opens in a new windowThe Ultimate Guide to WordPress and GDPR Compliance – Everything You Need to Know (WPBeginner)
- opens in a new windowHow to Make Your WordPress Site GDPR Compliant (WPExplorer)
- opens in a new windowMake Your WordPress Website GDPR-Compliant: Useful Tips & Plugins (WPLounge)
DISCLAIMER: This information is not intended as a substitute for professional legal consultation; it’s provided “as is” without any representations or warranties, express or implied. Always consult an attorney when you have specific questions about any business matter of this kind.