It’s coming down to the wire. The European General Data Protection Regulation (GDPR) will be enforced starting May 25, and all organizations inside and outside the European Union (EU) must comply or face potentially hefty fines. If your organization hasn’t prepared by now, you probably feel like final exams are around the corner and you haven’t been to one class. So let’s cram.
The GDPR is a large collection of confusing regulations that data controllers – all organizations that process and store personal data – must follow to protect EU residents’ personal data. For months, experts have tried their best to break down the legalese and offer concrete steps you can take to ensure your organization is in full compliance.
Recent Infamia blog posts have mostly focused systemic changes that should be made within your organization — changing data security policies, adapting contracts with third party data processors, and generally rethinking how your organization manages its databases. However as the deadline looms, there is one more option to consider.
What if you just don’t process any personal data of EU residents?
If you’re a small organization working on local issues or a small business dealing with just U.S. customers, does your organization really need to worry about GDPR compliance? If it processes or stores data, yes.
It’s a global economy and support comes from around the world. Unless you ask a user to provide their primary country of residence, you have no way of knowing whether or not they are an EU resident. If you ask for this information, as data controller you must explain how personal data is processed and stored in order to comply with the GDPR.
But what about blocking EU residents from your site all together?
“Don’t even come to my website, because I check IP addresses”
One more term to add to the GDPR lexicon is “geofencing,” a practice that allows your organization to segregate out how you collect and process data according to a physical location. By checking IP addresses, you can apply different strategies to users based in Paris from users residing in Washington, D.C. If the user is in Paris, then their personal data is not processed or stored. If the user is stateside, your organization has considerably less to worry about because U.S. laws on data security policy are considerably and disturbingly less strict than GDPR regulations.
Sound like a good option for avoiding the GDPR? Well, Mickey and Ernesto tackled this approach in a recent episode of Infamia’s Tech in Ten and quickly identified a number of problems. The most obvious is that people travel and they’re not necessarily tied to their personal laptops. If even one benevolent traveler from Berlin joins your mailing list or makes a donation from their friend’s computer in New York, you are still required to comply with the GDPR with regards to that individual’s personal data.
On the surface, though, there are companies who seem to have made geofencing work. If you’ve ever tried to access your Netflix account while visiting another country, you know that you can’t watch any of the content, even though you’re paying for the service. This is because Netflix tracks your IP address and prevents you from streaming content. So what’s the catch there? You register to have a Netflix account, which means you provide Netflix with personal data. You’re back to your original problem of collecting personal data to identify and separate out EU residents.
Embrace GDPR compliance
To put it simply, blocking European constituents through geofencing to avoid GDPR compliance is risky and ill-advised. Unless you stop collecting personal data altogether, there is no foolproof way to prevent your organization from processing an EU residents’ personal data, no matter how small and locally focused your organization may be.
Additionally, when you eliminate processing and storing the personal data of every single person from an entire continent, you are eliminating a source of support and revenue. Soon enough, you will lose out to organizations who are in full compliance.
The GDPR probably seems terrifying by now, but it really is a great set of rules to protect personal data — rules data controllers like your organization should have been following all along. With the clock ticking, it’s easy to be swayed by possible short-term solutions, but your organization will need to shift its thinking in how it approaches data security long-term. Instead of thinking about how your organization will manage the personal data of EU residents, think about how you will manage the personal data of all of your constituents. Talk to your organization’s lawyers and reach out to data security experts to fall in line and stay in line.