Everyone is talking about GDPR, but what is it? Who does it apply to? How will it impact on marketplaces and platforms? We wanted to shed some light on these questions.
The General Data Protection Regulation (“GDPR”) is a European regulation that will take effect on May 25, 2018, and replaces the Data Protection Directive of 1995 and the national data protection laws of the European Union (“EU”).
GDPR is designed to set a uniform standard across the EU with regard to the way organizations collect, use and share personal data of data subjects in the EU.
GDPR applies a broader than usual definition of personal data, including “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Therefore, the definition may capture, in certain circumstances, IP addresses, mobile device IDs, email addresses, cookies and other online identifiers.
The application of GDPR is cross border and it covers the processing by organizations established in the EU of personal data in the course of their activities (EU and non-EU data subjects). It also applies to non-EU organizations with no formal or physical presence in the EU, so long as such non-EU organizations offer goods or services to data subjects in the EU or monitor their behavior (to the extent the subject is within the EU) (e.g. internet use profiling).
The act of ‘processing’ covers a variety of actions of an organization such as collection, recording, structuring, storing, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction, etc.
Such non-EU organizations are generally required to designate a representative established in an EU member state where the data subjects whose personal data is processed or whose behavior is monitored are located. The term “established” can be interpreted in different ways, so whether an organization is considered established in the EU should be examined on a case-by-case basis.
GDPR includes certain key elements and obligations that impacted organizations should be aware of and implement, such as:
Organizations that fail to comply with the requirements of GDPR may face severe administrative and economic sanctions, including fines of up to EUR 20,000,000 or 4% of the organization’s total worldwide annual turnover of the preceding financial year.
As a commercial business such as a marketplace or digital platform selling or otherwise offering goods or services internationally and processing personal data, you should understand how and whether GDPR applies to your organization. The personal data collected, stored or processed by your organization might be that of your sellers, customers, vendors and even random visitors to your website.
GDPR can apply to your organization regardless of its size or revenues and even regardless of whether or not you have a formal presence in the EU. If you collect, hold, process or have access to information that can be used to identify a data subject in the EU, you are probably subject to GDPR.
Firstly, you should understand the criteria for offering “goods and services” to EU data subjects. Is your website accessible in the EU? Do you use EU languages and currency? Are your campaigns directed to the EU?
Let’s take, for example, a Singapore-based organization that sells hand-made ties. The company has neither offices nor an affiliate company established in the EU, but offers its goods online. The company runs campaigns targeted at customers in the EU and even offers translated pages of its website. This organization collects personal data upon registration and creation of an account, including the registrant’s name and email address. Does GDPR apply to this organization? The answer is yes.
The new regime of GDPR confers more responsibilities on the organization; it’s now the organization’s responsibility to confirm that the data it processes is duly protected. Sometimes GDPR only provides a framework or guideline, and the organization must determine if it’s the controller or a processor of personal data and make sure that it properly stores and protects personal data.
You should ask yourself a few questions to make sure that you are prepared for GDPR compliance: what is the nature of the personal data you collect? Are you going to collect additional types of information? How is it collected, processed and stored? What is the nature of processing? What are the current policies that need to be updated and created? Does your privacy policy adequately describe the use of the information? Do you need to appoint a Data Processing Officer? What are the legal grounds pursuant to which you collect the information? Do you rely on consent? Can you adequately comply with the data subjects’ rights? Are your security measures sufficient? These questions, and many more, need to be addressed when considering GDPR compliance.
Individuals are becoming more and more aware of their rights and the data collectors’ responsibilities as we countdown towards May 2018.
At Payoneer we take pride in providing a high level of security and transparency with respect to how we collect, use and share the personal data of our customers, partners and vendors. We are diligently preparing for GDPR, updating our policies and refreshing our procedures pertaining to data subjects’ access and other rights and are taking these and other measures to be fully compliant with GDPR.
Please note that this isn’t intended to be a comprehensive and exhaustive review, but rather an outline of certain issues which we consider to be key to understanding GDPR. We recommend that you undertake your own analysis as to how GDPR applies to your organization specifically.