The General Data Protection Regulation (GDPR) went into effect this year.
If you’re a freelancer or small local studio, there’s a good chance you have no idea what I’m talking about. Fair enough. GDPR is a new law regulating the way businesses collect, process, and use data from citizens in the European Union. “At its core,” states one source, “GDPR is designed to protect personally identifiable information by strengthening and unifying the standards for data storage.” The law covers any business with EU customers, no matter where or how big the business is: even tiny photography studios in St. Podunk, Kansas, can be affected.
Of course, if you are a freelancer or small shop, it’s unlikely that you have any customers in the EU … or have any real prospects of ever GETTING one. Nevertheless, I still say you need to think seriously about implementing the tenets of this new law. Not only is basic concept–getting a tighter rein on how companies use customer’s personal data–a good idea, it is an idea I expect to spread: it wouldn’t surprise me to see the US adopt similar regulations soon–within the next five years, even. My advice is to start planning now.
A High-level View of GDPR
There are three primary areas where the GDRP will have the most dramatic effect. I won’t go into heavy detail (I’m not a lawyer and this isn’t a technical blog), but I’ll highlight the major points of impact.
1. You Must Have a Lawful Basis
GDPR requires that merchants have a “valid lawful basis” for processing personal data. There are six lawful bases, and mostly they get down to whether the processing is necessary: in other words, if there’s some feasible way to accomplish the same goals without processing personal data, you probably won’t legally be allowed to process it.
3. You Must Have a Data Processing Contract
If you take credit or debit cards and use a third-party data processor like PayPal, you need to have a written contract in place to ensure that “both parties understand their responsibilities and liabilities.” The GDPR lists what needs to be included in this contract, typically a Data Processing Agreement (DPA).
Are You Sure This Really Affects Me?
If you do absolutely no work with European citizens, there is a chance the GDPR doesn’t apply to you … yet. If you sell prints to someone in London over your website, though, or do any kind of email marketing that might go overseas … well, sorry, you’re in the loop: if you collect, process, or use personal data of any EU citizens, you are liable. Not complying to GDPR can result in fines–some of them fairly steep. EU regulators are allowed to fine US companies for GDPR violations; in some cases, US authorities may even help.
No Time to Be Complacent
Feeling a bit overwhelmed by all this? While that’s understandable, it’s good to keep in mind that the end goal is relevant: the protection of personal data. We all want our customers to feel confident that their information is safe in our hands, so the laws make sense. Plus, as I mentioned, there’s a good chance a version of these regulations will make it over here to the States, so I recommend you go ahead and bite the bullet: start implementing the GDPR protocols into your business right now.