2018 was a year of big changes in terms of website cookie alerts. In the past many websites had some sort of throwaway popup letting a visitor know that their cookies would be collected in order for the website to work – this was a matter of course. Today, you are more likely to find a large disclaimer, with the option to read further about how the website will use your data and exactly what they will store when they visit your website.
This change has largely been facilitated by the instatement of the General Data Protection Regulation (GDPR) by the EU. In response to the rise in data breaches and lost personal data – as well as the fact that the previous data protection rules were seriously out of date – the GDPR set down anew standard for any business that collects, processes or stores the data of EU citizens.
But now that the GDPR is in place, does it mean that businesses outside the EU should avoid targeting European customers? Europe has traditionally been seen as an area where there can be fantastic opportunities for businesses to expand into. But it could be the case that the GDPR is changing perceptions.
Some businesses have entirely blocked EU visitors!
We have already seen that some websites have taken the step to block EU visitors entirely – worried that holding EU data could put them in a difficult position. EU visitors to some of the largest US daily newspapers such as the NY Daily News and the Chicago Tribune are blocked from viewing the sites entirely.
Some businesses simply aren’t prepared to commit themselves to complying with the GDPR for the sake of EU visitors. But blocking visitors is one thing – excluding genuine paying customers is something different, and is it wise for businesses to remove a potentially lucrative market because they are not willing to comply with regulations? To understand that, we need to understand how the GDPR affects non-EU businesses.
How does the GDPR affect non-EU businesses?
Interestingly, the location of the business has no bearing on the GDPR – the rules are based on the location of the customer whose personal data you are storing. So, businesses that are based outside the EU but store the personal data of people in the EU have to follow the same rules as a company based inside the EU.
This means that if any business wants to hold any kind of customer data – including processing transactions and taking orders – it needs to comply with all of the rules. The GDPR has a vast range of regulations that businesses need to abide by but some of the most notable include the need to gain a form of consent in order to send marketing materials.
Additionally, businesses are required to take adequate measures to protect personal data and keep their systems secure. In the event of data breach, they also need to be able to inform those individuals who have lost data within 72 hours of becoming aware of the breach.
Businesses that fail to comply with the GDPR can be heavily fined – up to €20 million or four per cent of global turnover – whichever is greater.
Does Brexit complicate things?
One issue that could potentially complicate matters is the impending British exit from the EU. After Brexit, the UK will no longer be an EU country and therefore the rules governing trading with EU businesses will not necessarily apply. So, what does this mean for the GDPR – can businesses look forward to trading with UK citizens with fewer regulations than they have to deal with for EU citizens?It actually appears that Brexit will not impact businesses. The GDPR has been transposed in the NIS regulations in the UK. This means that the UK will have functionally the same data protection laws as the EU, even after Brexit.