With the May deadline now passed for major new privacy regulations in the European Union (EU), many direct selling executives are asking themselves how far the restrictions will extend into their EU field operations.
Direct sellers may be particularly vulnerable to the new rules, as most not only utilize end user and customer data but also have relationships with distributors and entities who themselves hold and process EU citizens’ information.
As a result, some direct sales companies are even re-evaluating whether to do business in Europe at all.
Known as the European Union General Data Protection Regulation, GDPR applies to all companies that conduct business anywhere in any of the countries within the European Union, even if all of the processing of the data takes place outside the EU.
“Several of our clients have literally shut down their EU operations,” says Zach Arrington, Program Director of Risk Services at software firm Momentum Factor. “They didn’t think the risk was worth it.” The company works with clients around the globe and has been forced to adjust its own operations to accommodate clients who do business overseas. “It’s been a slog,” says Arrington.
For some companies, the burdens of GDPR are simply too overwhelming to continue doing business in the EU. “We have already informed our field in Europe that we will be leaving the markets there,” reports one senior executive at an international health and wellness company. “For us, the risk outweighs current and even future revenue opportunities. We trust our field, but we can’t expect each and every one of them to comply with what is in reality a major hurdle, much less enforce it.”
Another company executive states her company will “wait and see” how enforcement shakes outbefore making any final decisions. “We have updated all our European independent distributor contracts and believe we have achieved compliance, but no one can really be sure until the first enforcement action happens.”
It makes sense that direct sellers are worried. Unlike mainstream businesses whose data is assumed to be under their control, direct sellers have contractual relationships with up to hundreds of thousands of independent distributors who may or may not feel the same urgency to comply as the companies they represent.
According to Jonathan Riley, partner at London-based Memery Crystal law firm, independent distributors will be held to the same standards as the companies they represent. “There is no exemption from GDPR compliance for a small business or sole trader. Certainly from a data subject’s perspective this makes sense. If a business is processing your personal data, you want to know that it will be used properly regardless of the size of that business.”
Riley also says distributors for various companies may be classified as either “data controllers” or “data processors,” a key legal distinction in GDPR, based upon the company’s specific business model. Controllers determine the purposes for which the personal data collected will be used, and processors follow the controller’s instructions for processing the data. Riley says, “For those distributors who are classified as processors, maintaining compliance is probably going to be easier.”
Regardless of their classification, Riley adds, “Companies can help by rolling out GDPR awareness and training materials, along with compliant templates such as website privacy notices, customer order forms, and data security standards.”
Enforcement of the regulation began in May, the culmination of a process that began in January 2012 and passed the European Parliament in May of 2016. The regulation applies to all companies that conduct business anywhere in any of the countries within the European Union, even if all of the processing of the data takes place outside the EU. (See the FAQ’s on the official GDPR website, www.eugdpr.org.)
The United Kingdom (UK) is set to exit the European Union in March of 2019, ten months after GDPR will be adopted into UK law. But it doesn’t matter much; the UK government has introduced its own version of the bill, named simply the Data Protection Bill (DBP). Compliance measures that have been already implemented will carry over.
Non-Compliance will be Expensive
The GDPR statute requires an “audit-ready” status for companies at all times. Additionally, a company must be able to produce evidence of continuous compliance. Although instituting tough data security measures may have always been a best practices approach, GDPR brings data security awareness and processes to a new level with large fines for non-compliance. In other words, this time they mean it, and have put some sharp teeth into the measure.
There is a tiered approach to the fines, but they are nonetheless hefty. Non-compliance can result in fines of up to 10-20 million euros, or two to four percent of global annual sales, whichever number is bigger, for various types of non-compliance and breaches. Some of these include:
- Unauthorized transfer of data
- Failure to have procedures in place
- Security breaches from outside sources
- Failure to notify victims of a breach personally (not by press release or company website announcement
- Failure to report a breach
- Failure to have a data protection officer
- Failure to build protections into new projects at the design stage
Interestingly, whether the breach is a cyber attack or a human error on the part of an employee won’t be distinguished, and the company will still be held responsible for the breach and any failure to notify appropriately.
So what’s the bottom line? GDPR gives all consumers living in the European Union greater control over their personal information in the digital world, and holds companies specifically responsible with large fines for failure to comply, and also if their consumer data is breached.
It’s probably best to get on board now to understand the ramifications of GDPR. Experts say it’s only a matter of time before these standards have global adoption.