"My partner and I run a small software business that caters to a niche market.
"Our customers (all businesses — we don't sell to individuals) are located primarily in the United States and Canada, but we do have two corporate customers in the United Kingdom that account for less than 1 percent of our total global revenue. We don't advertise or promote our products extensively outside the U.S. but we do accept payment in British pounds as a convenience to these two customers.
"We've been reading a lot about the new European Union regulation on data privacy, and we're a bit frightened about it. While our products are designed to help our customers manipulate their customers' data, we don't ourselves have access to that data except in one narrow situation — where our customers request maintenance support for our products and our technicians have to look at 'screenshots' to do the necessary work. There's a chance that these 'screenshots' may contain personal data of people living in Europe.
"What can we do? We don't want to lose our European business but can't afford to pay $20,000 or more each year for cyberinsurance and a full-blown compliance program."
For those who don't already know, the European Union's new data privacy law known as the General Data Protection Regulation, or GDPR, goes into effect May 25, 2018. The GDPR establishes a uniform data privacy law across the EU and applies to any type of business, wherever it is located, that either offers goods or services in the EU or monitors behavior of EU citizens.
The biggest problem with the GDPR is that there is no small business exception of any kind. If your business offers services in the EU and has personal information of individual residents of the EU (called "data subjects"), it is subject to the GDPR — all 99 Articles of it (see https://gdpr-info.eu for the complete text) — even if it doesn't have any other connection with the EU. So, for example, an eBay seller who sells an antique to an Italian buyer and receives an email containing the buyer's home address and telephone number would, without more, be subject to the GDPR.
Penalties for noncompliance with the GDPR are extremely high and can range up to 20 million euros (about $24 million) or 4 percent of your business's annual worldwide income (whichever is greater) for serious violations.
Obviously, it will be quite a while before we are certain how the GDPR will be enforced, especially for minor, inadvertent violations. But here are some actions you may want to discuss with your lawyer in the weeks ahead:
Block Access to Personal Data by People Outside the U.S. Send your European customers a message clearly warning them to "scrape" any personal data about EU data subjects before making a service request. If that is not possible, ask your customers to warn you in advance when screenshots submitted to you for review contain personal data, and warn them not to send screenshots until your legal counsel says it's OK.
State Clearly That You Will Not Keep or Transfer Personal Data. It does not appear that you sell or transfer anybody's data to third parties. When a service ticket is performed, do you promptly destroy the screenshots and all data they may contain? If so, make that an explicit promise in your privacy policy. If not, make it your policy going forward.
Get a GDPR Indemnity. Most software license agreements contain an indemnification clause by which the licensee (your customer) agrees to indemnify the software owner and hold it harmless in the event of the licensee failing to comply with "any applicable law, rule or regulation." If that language appears in your agreement (if it doesn't, you need a new agreement, and maybe a new lawyer), send your European customers a short, polite note letting them know that if they breach the GDPR, you will expect them to indemnify you for any resulting damages or liability.
Consider Withdrawing From Europe Altogether. For many small businesses, the cost of complying with the GDPR may well outweigh the benefits of doing business in Europe. If European business accounts for less than 1 percent of your total gross revenue, consider terminating your European customer agreements or refusing to provide them with maintenance and consulting services.
American software and technology is, by and large, still the best in the world (although the Chinese are rapidly catching up). Not having access to the best would be Europe's loss.
Consider Adding a GDPR Surcharge to Your Prices. You will incur some expenses to comply with the new law, even if it's only paying your attorney to update your privacy policy and user documents. Consider charging your European customers more than your U.S. customers to cover the increased compliance costs.
Your ancestors who fought and died at Lexington, Concord, the Ardennes forest and the beaches of Normandy will arise from their graves and cheer you on.
Cliff Ennico ([email protected]) is a syndicated columnist, author and former host of the PBS television series "Money Hunt." This column is no substitute for legal, tax or financial advice, which can be furnished only by a qualified professional licensed in your state. To find out more about Cliff Ennico and other Creators Syndicate writers and cartoonists, visit our webpage at www.creators.com.
View Comments