Some of the best aspects of working remotely or having a location independent business are the freedom and opportunity for creativity that come with the lifestyle. However, pesky issues like legal and tax compliance are unavoidable realities of being a digital nomad.
On May 25, 2018, the EU implemented the General Data Protection Regulations (GDPR), a new data privacy law that has very specific requirements for anyone collecting, storing, or using the personal data of EU residents.
Why does this concern digital nomads?
If you have a website, any personal data of an EU resident, like an individual’s name or email address, that is collected through your contact form, email subscription box, or in a blog comment is protected by this law. If an EU resident can access your website and transfer data to you, then you are required to comply with the GDPR.
Are you thinking, “Well I don’t have any customers or clients from the EU, so this really doesn’t concern me”? Remember that this law is so broad that even if your website collects an IP address from a visitor in the EU, this law DOES apply to you. If you have an email subscription option, what stops an EU resident from visiting your site and sending you their name and email address?
Basically, if you have a website, it’s safe to say the GDPR applies to you.
If you’re thinking that it sounds like the GDPR essentially covers nearly every human with a website, you’re not far off. With potential fines of up to 20 million euro or 4% of your annual global turnover (whichever is greater), the EU really means business with this new law.
So, how do you make sure you are in compliance? While policies and procedures should be tailored to each individual business, here are some general things you should think about:
Understand and identify the personal data you collect, store, and use.
Through any means of communication or transfer, including apps and software you use to track website statistics, do you collect the following information from EU residents:
- Email addresses
- Physical and mailing addresses
- Phone numbers
- Locations of website viewers and IP addresses
- Demographical information
- Personal information about income, health, profession, education level etc.
These are all examples of personal data.
Give people the option to opt-out of direct marketing.
For most businesses or bloggers using a third-party data processor like MailChimp, you already have an unsubscribe option at the end of your emails that are sent to subscribers. It is important to have this opt-out function to comply with the GDPR and the U.S. CAN-SPAM Act.
Create an opt-in consent checkbox for email subscribers.
If you collect email addresses for a subscription list, you should include an opt-in checkbox that requires visitors to manually check a box, informing them that you plan to use their email address for direct marketing efforts and how you will protect their data.
Re-confirm existing subscribers from the EU.
Due to the new, specific consent requirements for data collection and storage, it is important to re-confirm the consent of your existing EU subscribers by reiterating who you are and explaining what personal data you hold, for what purpose(s) you use this data, how you protect this data and who else receives the data. Require EU subscribers to re-consent to these terms.
Completely delete and erase an individual’s personal data upon their request.
Another requirement of the GDPR is that, upon a person’s request, you totally erase the personal data you have for that individual.
Consider implementing a system to encrypt, anonymize, and/or pseudomize certain types of sensitive data.
While as a lawyer, I do not claim any special knowledge on the technical process behind encrypting, anonymizing, or pseudomizing data, these are options you can implement in the way you collect data to help you comply with the GDPR. The value behind these processes is that they help secure against data leaks and allow you to only store the information you really need.
Are these requirements actually enforced against small businesses and freelancers?
You may find various resources online stating that small businesses are not the target of this new law and imposing fines, particularly on small businesses, will be a last resort and low enforcement priority. However, as a business owner, that attitude could expose you to liability.
Plus, protecting the personal data of your clients, customers, and subscribers is not only important for GDPR compliance, but it also tells your audience that you care about their privacy and can be trusted with their personal information.
The good news is that many third-party data processors like MailChimp, Sumo, and Google are working hard to make GDPR compliance easier for their users. Ultimately, it is your responsibility to make sure you are protecting the personal data you collect, store, and use, providing disclosures and consent options, notifying individuals of data breaches, allowing individuals to opt out, and completely erasing the personal data you have collected upon an individual’s request.
Keep in mind that the suggestions above may not be all that you need to do to ensure GDPR compliance. Depending on your individual business and how you collect, store, and use personal data, the steps you need to take for GDPR compliance may be more extensive than what is described above.
If you are not sure whether you are in compliance or how to comply with the GDPR’s requirements, you should consult a licensed attorney regarding your unique circumstances.
Disclaimer: This information is for educational purposes only and does not constitute legal advice. If you have any questions about how to comply with GDPR requirements, you should consult an attorney.