Critical legal insight – at an affordable price?

What a GDPR legal conference taught me

Like many small business owners, the array of legal expertise I could be paying for is dizzying: tax and sales nexus expertise, IP expertise, business organization and expansion expertise, legal compliance with various regulatory bodies from various expert firms…

The last entry pertains to this blog I need to have insight into what-in-the-world the EU’s GDPR law means for me as a small business owner with digital offerings. I also need to know what my use of Facebook and sales lead pages to collect emails for content and offering delivery puts me at risk for. My journey started with the U.S. Commercial Service office in Portsmouth, NH (if you are a small business doing or thinking about having international offerings – you want to know people at the U.S. Commercial Service. Very helpful). From them I learned about a one-day conference on GDPR put on by the IAPP (International Association of Privacy Professionals).

The conference presentations included lawyers. I figured I had finally found a place to answer my – what is GDPR and what does it mean for my business – questions.

Here’s what happened

In listening to people talk before the conference began, I soon realized that I was the only small business owner in a crowd of about 50 or so lawyers. The panelists were also lawyers as were the panel leaders.

For 6 hours, I listened to well phrased discussion and insights, that I could understand, about the business side of GDPR.

Yes, for $245, I received 6 hours of high quality legal insight on a global regulatory piece.

I call that an amazing bargain.

What did I learn?

(Legal notice: I am not a lawyer and this is not legal advice for your firm. You will need to seek formal legal counsel for your firm’s activities. I think that covers it.)

There is still a lot of confusion over the application of the law in large part due to the global nature of supply chains, what data resides where with what administrative permissions, and digital technology.

For example, I am currently advertising on Facebook with ads to build an audience and collect email addresses so that I can send content and offering information to people.

Does this trigger GDPR requirements if it is viewed by people physically in the EU?

The ads do not because Facebook controls the sensitive data – I blindly use it.

The collection of email addresses does because I will control the sensitive information.

Do I need a privacy policy? Yes

Do I need to be GDPR compliant? That is an individual business decision because, as I understand it, by formally becoming GDPR compliant you also open up liability under FTC laws.

Do I need to map all the places I receive sensitive data – including email addresses? Yes

Do I need to worry if my ads, which are not targeted specifically to gain EU customers, and, the EU portion of my business is insignificant, if those ads are seen and an EU person asks for a piece of content even though I won’t know the person is in the EU? No

What if I target EU customers? Yes, I need to be compliant

What if EU customers are a large part of my business, but I am not specifically targeting them with my website or ad? Yes, due to the significant portion of business being performed by my firm in the EU.

What is my conclusion?

After 6 hours, what GDPR seems to me, and my non-legal understanding, mainly boils down to the amount of control who has over what data, where that control is physically located, and the amount of business that control represents.

Of course, as I heard, there are a myriad of legal gray areas.

On the other hand, I got to listen in on an amazingly insightful parley between highly experienced personal, corporate, and boutique firm lawyers discussing personal privacy laws that I believe are only going to expand over time.

Find out where similar groups of lawyers are meeting on business subjects you need to know about and join them.

You’ll be glad you did.

And when you make your appointment to meet with a law firm, you’ll be able to speak directly to the subject at hand; which saves time and money.

Key words and concepts: GDPR, data, personal privacy, small business, supply chain, lawyers, IAPP

About the author: Cynthia Kalina-Kaminsky with Process & Strategy consults with and provides training for organizations eager to increase their competitive value by helping enable growth, align performance, make and move product (even when the product is electrons).