There has been a flurry of activity worldwide due to the GDPR regulations that went into full effect on May 25, 2018. You may be wondering:
“Do I need to be concerned about the GDPR regulations?”
It’s an important question to ask because a violation of GDPR compliance could result in fines of up to $20M or 4% of your gross annual revenue. And, who can afford that?
So, how do you know if the GDPR regulations actually affect you and how you conduct business? Or, if we use GDPR-speak: “What is the material scope of the regulation?”
Article 2(1) states that GDPR regulations apply to:
“The processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”
GDPR regulations apply if:
- Something is done with or to data
- The above-mentioned data belongs to a person
- The person is identified or capable of being identified
And, what is being done to or with the data is either:
- Fully or partly automated,
- The data is or will be part of a filing system.
The GDPR regulations are focused on business being conducted in Europe.
The laws are in place to protect the personal data of consumers who are located in the EU; However; because the worldwide web is…well…worldwide, you could still be affected if you run an online business even if you are not based in Europe.
We will go into the ways that GDPR regulations affect those who conduct business from locations outside of EU in a separate blog post. For now, let’s stick to the general principles of the GDPR regulations.
Here is a breakdown of some of the terms used within the GDPR regulations:
- Processing – “Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
- Personal Data – “Any information relating to an identified or identifiable natural person.”
- Identified or identifiable person – “A person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
- Automated vs. Manual – Fully automated means that there is no human involvement, whereas party automated uses some degree of human involvement. Manual means that only humans are involved in the processing, without any form of computer technology (meaning hard copies including someone’s personal data also fall under GDRP regulations.)
- Filing System – “Any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.” This could be online or in hard copies.
In a nutshell, the GDPR regulations apply to use of or anything being done to data that relates to a human being. Pretty broad, right?
According to the GDPR regulations, a business entity is either a data controller or a data processor. GDPR Article 4 states that:
- ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
- ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Within JVZoo, many sellers market and sell their products to EU consumers. The sellers decide what to do with that data, which makes them data controllers who are directly bound by the GDPR. Since the sellers may share some of the personal data obtained from EU buyers with their affiliates via the JVZoo platform, affiliates are also subject to the GDPR and they are also data controllers because they choose how to use the data.
JVZoo provides a platform for its sellers to offer their products and as a service provider who processes personal data on behalf of its customers. This makes JVZoo a data processor and is indirectly regulated by the GDPR by virtue of the fact that sellers and affiliates need to comply with the law.
JVZoo supports users all over the world, so of course, we have been working hard to be sure we are compliant with GDPR regulations working with VeraSafe and our corporate council. For more info on the actions JVZoo has taken to protect personal data, Click Here.
Still wondering if GDPR regulations apply to you?
Start by asking yourself the following about yourself and your business:
- Do I collect people’s names?
- Do I collect people’s email addresses?
- Do I collect info on my clients’ location?
- Do I collect data on any physical characteristics of my clients?
If you answered ‘YES’ to one or more of the above questions, you might want to look closer at the GDPR regulations. It’s worth it to protect yourself. Even though these laws are out of the EU and primarily affect people in the EU, it is likely that regulations of a similar nature will be rolled out in other areas of the world very soon. Be prepared.
As a disclaimer, neither JVZoo nor any employee or representative of the Company is an expert on GDPR regulations. For the most accurate info on details of the laws, contact an attorney who is familiar with the GDPR, or visit:
- The Official EU Government Site
- This neatly arranged final text of GDPR
- One more easily readable text on GDPR
Watch for our next blog on GDPR where we will look closer at how GDPR regulations affect you depending on where you live and conduct business.