The European Union will begin enforcing the General Data Protection Regulation (GDPR) on May 25, 2018, and businesses that process the personal data or monitor behavior of people within the EU are scrambling to achieve GDPR compliance.
As a North American-based ISV, you may be aware of the approaching GDPR deadline, but you may have concluded that the regulation doesn’t apply to you.
You may be wrong.
Businesses throughout the world, possibly including some of your North American-based clients, may need to prove GDPR compliance. If they don’t, they could face severe penalties—more than $20 million USD or 4% of annual revenues, whichever is greater, for the most egregious violations.
The Long Arm of GDPR
GDPR applies to all businesses established in the EU, but companies can be “established” there in different ways. The “Right to be Forgotten” decision, for example, found that Google was established in the EU due to search activities linked to advertising sales from Google Spain.
GDPR also applies to companies that collect data in the EU or monitor the behavior of people there. Many U.S. businesses involved in e-commerce will be required to show GDPR compliance. Just having an e-commerce website, however, may not be enough for the Court of Justice of the European Union (CJEU) to decide that the regulation applies. In Pammer v. Schulter, the CJEU ruled that is was necessary to show the business established commercial relations with consumers in at least one of the EU states. Criteria the court may apply includes using the EU state’s language, currency, a top-level domain name, customers in that state as examples, or advertising targeting consumers there.
It’s also important to recognize that the regulation isn’t written to protect only citizens of the EU, but anyone there—including non-citizen residents and visitors. So, businesses that provide products or services to only tourists, for example, haven’t found a loophole.
And although GDPR applies to businesses with more than 250 employees, companies with fewer than 250 employees must comply if they process personal data on a regular basis. Businesses also must meet the requirements if they handle data covered in Article 9 of GDPR, including data revealing race, ethnicity, political affiliation, religion, genetic or biometric data, health issues, or sexual orientation.
The North American ISV’s Aha Moment
These examples show that some North American-based business will have to prove GDPR compliance, and the software they use will play a prominent role in their ability to do so. If you want to keep their business, GDPR is something your ISV business needs to address. Some steps you can take to modify solutions to comply with GDPR include:
- Make maximum privacy the default setting. Your software shouldn’t require any configuring by the client so they can ensure maximum protection for personal data.
- Include a process for locating all of a user’s data so it can be restricted, corrected, or accessed by that person.
- For the “right to be forgotten” provision, consider including a way to erase all data that pertains to a specific person and to make notification to any third-parties that used the data.
- Process only data that is required and keep it just for the timeframe in which it’s needed.
- Encrypt stored data and data in transit.
- Use pseudonymization so a person can’t be matched with their data when, for example, transmitting data to a third-party or for testing purposes.
- Keep a record of everyone who uses your API.
Denying that GDPR will impact your business is a risky position to take. This head-in-the-sand attitude could result in lost customers who migrate to solutions and practices that support GDPR compliance. Learn all you can about GDPR so that you can ensure your software — and clients — are in compliance. 
