It’s all about protecting people’s personal information! Just about anything you collect from an individual (even if you don’t know their name) is considered by the GDPR (and the Israeli regulator) to be personal information e.g. an e-mail address, an IP address and any other information that could lead you to a specific person, with or without the addition of other information which may even be freely available on the Internet.
It’s all about consent or ‘if I get consent, I can do anything’
No… it’s not all about consent! There are a variety of legal basis’ for collecting personal information, and consent is only one of them. Using consent as a basis to collect personal information is particularly tricky, and if it can be avoided – I would encourage it.
In order for consent to be valid, (1) it has to be freely given (2) it has be given using an active step (and not a previously checked, checkbox) (3) you need separate consent for each use of the personal information and as it can be withdrawn at any time.
I don’t have any European customers, so it doesn’t apply to me
If you are not located in Europe and you are not marketing to Europe, it is likely that the GDPR does not apply to you directly. However if you have any international customers, anywhere in the world, it is likely that they have European customers and that they will insist you be GDPR compliant or they will not use your services.
So yes, even if you are not in the EU, it is highly likely that you will not be able to ignore the GDPR.
I’m in Israel, why would a European regulator care about me?
You are correct, it is unlikely that any European regulator would proactively seek you out, but remember that under Israeli law you also have certain privacy undertakings and the Israeli regulator has become more active in the last year or two; and don’t forget the risks you face of a class action suit or a data breach. These things could cost you a lot more than any fine from any regulator.
I’m not responsible for my sub-contractors
Oh yes you are! You are responsible for your entire supply chain all the way down, and this is why you should be sure to use GDPR compliant sub-contractors, and this is why if you purchase leads – you must be sure that the company that is selling you the leads is GDPR compliant, otherwise you will be equally responsible for any privacy fouls.
I need GDPR certification
As of this stage, there is no such a thing as GDPR certification. The EU have yet to grant anyone the accreditation to give GDPR certification.
If I do GDPR, I am okay for California (the CCPA)
I’m afraid not. It will certainly help, but California (the fifth biggest economy in the world), has its own regulation (the “CCPA”) which entered into force on January 1st this year. In some cases the CCPA is even more stringent than the GDPR, in others could be considered more lenient. If you have any clients located in California, it is important to check this out as the exposure here is serious.
So to summarize, some tips:
- It is important to note that under the GDPR you need a separate cookies policy. More information about this will come in a separate article.
- If you are relying on consent, you need a separate consent for every single thing you plan to do with a person’s personal information. For example, in the case of lead management (if you are basing your collection of personal information on consent), you need consent to pass the information the third party who has requested the information, and if the third party also wants to add the person to their mailing list, this will require additional consent.
- There are alternatives to consent – and if you qualify, they can be easier to comply with.
- Even if you have consent, you can only use the information for the specific purpose for which it was provided.
- The data subject has many and various rights which have to be taken into account, such as the right to withdraw his or her consent at any time, “the right to be forgotten” (which means deleting personal data as soon as a user asks) and more.
- GDPR also means that you need to make sure you handle all personal data securely.
Disclaimer: the foregoing is only general information and not legal advice. Please engage legal counsel should you require.
Beverley Zabow, Adv., CIPP/E is an experienced Israeli commercial attorney, certified by the International Association for Privacy Professionals (IAPP) for compliance in Europe. She has extensive knowledge and experience supporting hi-tech companies at all stages and in a large variety of fields. Beverley can be reached at [email protected]. or visit www.ht-ip-law.com.