View profile

Does the GDPR Apply to You and How to Comply - Bite-Sized Legal #6

Does the GDPR Apply to You and How to Comply - Bite-Sized Legal #6
By Bite-Sized Legal • Issue #6 • View online
GDPR, the EU General Data Protection Regulation and the world’s most comprehensive data privacy law, is the law that worries indie hackers a lot.
It has been made to tackle the Googles and the Facebooks of the world, but it worries independent creators and small businesses way more than the tech giants.
It is not as a big burden as it seems.
In this newsletter, I will explain to you how to determine if the GDPR applies to you at all and if it does apply, what is the minimum you need to comply with.

Does the GDPR Apply to You?
You can determine that by applying the following formula:
  • EU business + EU users = GDPR applies
  • EU business + non-EU users = GDPR applies
  • EU business + EU/non-EU users = GDPR applies
  • Non-EU business + EU users = GDPR applies
  • Non-EU business + non-EU users = GDPR does NOT apply
  • Non-EU business + EU/non-EU users = GDPR applies only to the relationship with the EU users.
GDPR does not apply to businesses or users. It applies to relationships between them.
In fact, GDPR applies to the relationship where at least one - whether the business or the user (or both) - is from the EU.
If your business is global, then you have to consider compliance with this law. You never know when a user from the EU could land on your website and you could collect and process their personal data.
How to Comply with the GDPR
Independent creators, makers, and freelancers who collect and process personal data subject to the GDPR need at least:
  • Have a GDPR-compliant privacy policy on the website,
  • Obtain explicit consent for collection and processing of data (if no other basis is applicable), and
  • keep records of obtained consents, if any.
That’s the minimum you need to start.
Later on, you may need to:
  • respond to data subject requests (users may ask you what you do with the data, to delete their data, and so on - and you have to comply with their requests)
  • notify authorities and users about data breaches, if any.
Final Thought
These are just the basics. Determining whether GDPR applies to you is only the first step toward compliance.
Also, keep in mind that compliance with the GDPR is the closest you could get to global data privacy compliance. The US laws are the only ones (along with India, for now) that are not similar to the EU standards.
Brazil, Thailand, Canada, Australia, UK, non-EU European countries, South Africa, Mexico, and soon India as well as many others have laws similar to the GDPR and require pretty much the same stuff from your business.
So, unless you are locate din the US and target exclusively the US, consider having a GDPR-compliance privacy policy in place and a means to obtain consent for the use of cookies.
Any questions?
Did you enjoy this issue?
Bite-Sized Legal

Legal for makers and freelancers, weekly, for free.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue