What is GDPR?
Until recently, most businesses out of the EU hadn’t even heard of it! This week it was everywhere: GDPR comes into effect. May 25, 2018.
That’s all fine and well, but what is it and what effect could it possibly have on the other side of the world?
GDPR refers to the EU General Data Protection Regulation. Companies world wide have been sending out emails asking clients to “opt in” or advising that “privacy policies have been changed”. The regulation increased territorial scope: affecting enterprises outside of the EU that deal with EY residents, citizens or companies. It affects any person visiting the EU, irrespective of their nationality and country of residence. Moreover, if they are travelling in the EU, their personal data is protected and subject to these regulations.
The purpose of this regulation is to protect personal data and privacy of EU citizens and residents when their data is shared, exported, and processed outside of the EU. There are now restrictions on transferring personal data outside of the EU, to this countries or even to international organizations. Obviously, the EU citizen or resident can provide their data. But a company cannot transfer that data to another company or server, unless it’s to a country where the protection has been deemed to be “adequate”.
This covers information including IP addresses, location data and online identifiers, not just the details that the client may provide voluntarily. It includes information like email addresses, the physical device information (mobile, tablet, PC), home addresses, birth dates, and other information which may have been collected about a user. This includes financial transaction history in the case of purchase of goods or services. It even goes further to protect social media posts, personal images (such as those uploaded to Facebook or Instagram).
Implications for Panamanian firms
The biggest change we see here is that the presumption has moved from “opt out” to “opt in”. Users no longer “opt out” of the services. It is now necessary to obtain the users consent by having them “opt in”.
Panama does not come under the jurisdictions where the protection offered is considered to be “adequate”. So, if a transfer of data were to be made to a Panamanian server or company, the EU DPA could seek an injunction to block this.
Panamanian providers, if they are selling online within the EU, must consider the form of handling all the personal data. As it provides goods and services to a person in the EU, it will be subject to GDPR. These regulations apply to non-EU data processors. This includes cloud services providers, storing or hosting services. All of these may unwittingly hold information of EU data subjects. Data subjects have the right to approve what their data is used for, including profiling.
Perhaps more importantly, is how GDPR deals with the issue of “tracking” – when a company monitors the behaviour of its users in the EU. This might include, for example, how Amazon tracks the items that you look at in a store and then offers you similar items. It includes how Google looks at your searches, and then offers you advertising based on those searches. This could be more technically described as “profiling techniques” – analysing and predicting personal preferences of the users.
Considerations:
Panamanian firms should consider the following steps in looking at GDPR:
- data audit – what information do you hold
- consent from the individual or client to hold the data (opt in)
- not holding the data for longer than necessary
- erasing upon request or deleting when obsolete and no longer required
- automatic data breach notification
- IT compliance officer
This changes how data is stored, processed and protected. Best practices will minimise and mitigate risks from the start. This includes steps such as auditing the data your company holds or handles, where you have it stored and why you have it.
You may need to look at your “opt in” forms or rework your consent and disclosure forms for business customers.