By Bill Moran and Rich Ptak
Image courtesy of European Commission |
We’ve already discussed GDPR planning, focusing on general areas, e.g. security, that all companies should take seriously. Now, we address specific actions potentially necessary for GDPR conformance. The requirements will vary by industry and product type. We assume strict adherence to GDPR requirements and deadlines[1]. We focus on companies without a physical EU presence that may currently be doing business with its citizens/residents.
To enter or not…
First, determine the potential amount (volume) and value from existing or future EU customers. This includes residents/citizens that purchase products or services directly or over the internet. You need to determine the total value of EU business. Avoiding accounting details, business value is revenue less the expense and costs associated with product/service creation, demand generation, and delivery, etc. It includes customs, duties or taxes that you may pay to the EU.
BE AWARE THAT YOU MAY HAVE TO INCUR GDPR-RELATED COSTS INDEPENDENT OF ANY DECISION YOU MAKE ABOUT PURSUING EU BUSINESS!
|
However, if the compliance costs exceed the projected value, you may want further analysis before deciding. Is it possible to increase the business value with a price increase? Can you reduce compliance costs? Can you amortize costs across your total customer base[3]? Or, you can withdraw and refuse EU purchases. Finally, other relevant factors may affect the decision, so follow your organization’s procedures.[4]
Whatever you decide, you may still be impacted by GDPR, as we reveal below.
So, what’s happening now…
Some US newspapers and magazines, not wishing to conform to GDPR regulations, have terminated EU subscriber subscriptions[5]. Similarly, others may decide to back away from EU business. Note that doing this will still require scrubbing all EU customer information from databases.
In addition, some form of screening will be necessary to prevent EU residents/citizens from subscribing in the future. For example, require new customers to certify non-EU status. This should help to circumvent attempts at concealing actual status.
DETERMINING THE LEGALITY OF ANY ACTION IS BEYOND THE SCOPE OF THIS PAPER. WE ARE PROVIDING INFORMED OPINIONS.
WE SUGGEST CONTACTING AN ATTORNEY ABOUT THE LEGALITY OF SPECIFIC ACTIONS IF YOU HAVE QUESTIONS.
|
However, a large profit potential can encourage efforts to falsify required certification. Unless actively supported by the US company, we don’t see a risk to the company. If a good faith effort is made to block EU- customers (i.e. requesting certification of non-EU status), a violation may be avoided.
GDPR requires significant customer control over their data. To comply, some companies are proactively requesting customer acceptance and authorization for collecting and storing identification data at login and on a website. If properly worded and presented, this can satisfy the GDPR requirement for consumer authorization. However, it also imposes another GDPR requirement. The collecting entity must respond in a fixed time-period[6] to consumer requests to either provide or eliminate ALL individual information resident in their databases, extending backwards and into the future. More on this later.
Potentially risky scenarios
Another concern arises when a non-EU citizen customer moves to the EU on an assignment. It may be temporary or permanent[7]; either way, this raises questions. They wish to continue as a customer. If they inform you, you must make a choice. How long is the assignment? Does it qualify them as an EU-resident? If so, and you reject them, you lose a customer. If you keep them, GDPR kicks in. What to do?
First, it is not even obvious how to assure this situation is detected. A change in shipping address would be a clear indicator. Depending on the nature of the product/service, they might not notify or request an address change. Periodic requests for recertification (of non-EU residency) would be cumbersome, and off-putting to customers. Second, once the move is known, you must decide either to keep or terminate them. If you keep them, you become subject to GDPR. If you terminate, the risk is a lost customer upon a return from the EU, inevitably you will be blamed for any inconvenience.
Other questions arise. How long does a “temporary” assignment last before the EU asserts residency applies? What are the ramifications of providing service for “long-term” temporary residents? These need clarification.
A different problem arises for a company doing business with a multi-national firm (MNF). The MNF will fully comply with GDPR. The MNF can request its suppliers certify compliance or intent-to-comply with GDPR with 3rd party- or self-certification. It may or may not be mandatory, but compliant firms receive preferential treatment. A decision will balance GDPR implementation costs & risk of GDPR violation versus the value of the multi-national as a customer. The effort and cost of compliance involve multiple issues beyond the product/service, including commitments such as warranty support, inquiries to the supplier, special agreements, and so forth.
In another case. The MNF does not require GDPR certification but provides your product to employees worldwide. If there is never contact with EU-resident employees, no problem. If there is direct contact[8], retaining any information on them violates GDPR. One solution, if the MNF routes EU-resident employee queries through a non-EU resident who then handles all communication, then all is well. Still, if any MNF EU-employee’s information, telephone number[9] or email address, is entered into any of your corporate systems, a potential problem is created. A process to avoid storing any identifying information is needed.
Depending on your situation you may need to restrict customers from exporting your product to EU countries. One can imagine situations where a lifesaving product would be blocked from sale in the EU. When this situation arises, the GDPR policy will have a problem.
Another challenge occurs in handling EU citizen/resident walk-in business. A cash purchase is no problem, a credit card purchase is. Retaining their name and credit card information invokes GDPR rules. Our recommendation is to delete all information about that customer as soon as possible. Potentially, there is the option of refusing use of a credit card; but you need to carefully consider this case and the potential negative effect on business.
Unfortunately, some firms, say an airline like JetBlue, must retain information on all customers until after the product/service is delivered. JetBlue must retain passenger identity information until the flight completes. They will have to comply with GDPR or ban EU residents/citizens from their flights.
One further regulation issue relates to erasure of an individual’s data including archived data. Companies may not have considered this when setting up their databases. Even companies deciding against FUTURE business with EU customers, but with past data on their systems are subject to this. We are convinced this will be costly to implement. Thus, GDPR has created a situation where you must comply with one of its most costly requirements, even as you try to avoid its clutches.
Finally, many companies will need a process to handle questions from EU-citizens/residents. You will want a professional response to such communications. However, to avoid GDPR requirements, you cannot retain any identifying information on the person requesting information. A process is needed. Since many of these communications will come by email, you now need a procedure to delete their information from your email system. You probably want a procedure to notify the sender that this is happening because of GDPR.
Summary
We are not foolish enough to believe that we have exhausted this topic. Over time many other situations will arise. We have focused on some key points to consider in developing a response to GDPR. Let us recap.
- Some form of GDPR is coming worldwide. The massive disclosure of people’s information will not be allowed to continue. Therefore, tightening-up security along with similar GDPR policies makes sense. It is better to do something in a planned manner rather than wait until it becomes a requirement with possible penalties for non-compliance.
- The EU will attempt to enforce GDPR against companies on a worldwide basis. We assume that they will, at least partially, succeed. Therefore, it is prudent to act to avoid falling afoul of the regulations. It is possible that this effort will fail in some jurisdictions[10]. In that case, we believe a local form of GDPR will still be enacted.
- Even without an EU presence, there are business decisions to make. You must determine how much business you currently have with EU citizens/residents. You need to decide the value of this business versus the cost of complying with the GDPR. There exists the complication of doing business with a multi-national company that wishes GDPR compliance.
- If you decide that you want to avoid the cost of GDPR compliance, there are still some steps to take to ensure that corporate systems do not contain any EU resident/citizen information. Remember; this is not just a one-time effort; it must be continuous.
- Finally, prudent business managers will take account of GDPR requirements and their inevitable spread in planning for the future.
Our research convinces us that some GDPR policies, especially those recognized as Best Practices, will prove beneficial. The unrealistic and awkwardly articulated parts will likely be resolved over time. We advise IT and business managers to work together to identify and implement relevant requirements.
Publication Date: June 24, 2018
This document is subject to copyright. No part of this publication may be reproduced by any method whatsoever without the prior written consent of Ptak Associates LLC.
To obtain reprint rights contact associates@ptakassociates.com
All trademarks are the property of their respective owners.
[1] Although we believe that due to real-world limitations there will be interpretive leeway in GDPR requirements.
[2] A decision to comply with GDPR means it is necessary to comply with requests to completely erase any current and prior information on an individual. This may mean going to backup tapes and erasing this information. This raises some questions. How far back? Erasing may be very expensive in practice.
[3] If a very high probability exists that GDPR-like requirements will be enacted, this becomes obvious.
[4] Keep in mind a decision to withdraw is reversible. Rules may be relaxed, or the US may implement similar ones. At that time, reentry difficulty and costs may be higher or lower.
[5] It is worth noting that communication with EU customers may itself be subject to GDPR rules. So, the sending company could not keep their names and addresses in its databases, including in email, or other electronic form. This is another example of a potential GDPR Catch 22 whereby an attempt to avoid it can itself backfire.
[6] From what we know, the GDPR allowed times for full compliance are too short.
[7] The issue of when a tourist becomes a resident for GDPR purposes is sure to arise at some point.
[8]Any information that even potentially identifies an individual, a telephone number, email address, job title, or URL can present a problem.
[9] It is unclear if the retention of information on a phone call with an EU citizen/resident is subject to GDPR.
[10] One can imagine that some rogue MNFs may find a jurisdiction outside the EU that will refuse to enforce GDPR. They will move all their EU business to that place and attempt to defy the EU.