This post sets out our 3 step guide to ensuring your business running G Suite for Business is compliant with EU Data Protection legislation.
When does the GDPR apply?
The GDPR comes in on the 25 May 2018 but most of the preparation needs to happen before then. In particular, all of your email marketing lists need to be opted in. In most cases, that means that you will need to go back to your existing lists and ask them to opt in to the list.
Can I email scraped lists?
This is particularly important if you have built your list pre EU GDPR by scraping other services or sites, then those emails will no longer be available to you for email marketing unless you email them and ask them to opt in to receive communications from you.
What are the penalties?
There are a number of sanctions that local data protection authorities can impose to correct the breaches by a company. However, local regulators can also impose substantial penalties (broadly 2% of global annual turnover or €10m - whichever is the HIGHER). How those are used remains to be seen, but it is certainly possible that sending large volumes of unsolicited email could result in huge fines.
How does G Suite relate to the GDPR?
One of the issues that the General Data Protection Regulation deals with is transfers of data outside the EEA to third parties. The US and the EU in particular have a tricky relationship over data, and the EU has essentially put the US on a black list for data protection. This means that in many circumstances it is unlawful to export data to the US (you can't do it, and you shouldn't do it). There are a number of safeguards (including signing up to the Model Clauses or having the US entity self-certify that it is compliant with the EU-US treaty on transfers of data called Privacy Shield. These can be put in place in order to make those transfers lawful, but traditionally this has posed some difficulties for EU companies.
A decision of the ECJ in mid 2016 left the position even less certain as it suggested the Model Clauses were not sufficient for making lawful transfers of data. Even if they are, for most startups and SMEs, getting the attention of Google, Facebook, Microsoft or Dropbox to sign an EU specific agreement for their compliance purposes was simply not possible. Most large cloud service providers quite understandably impose minimum usage thresholds for negotiating custom contracts, but that leaves startups and founders with a difficult problem.
"How do I comply with the legislative obligations, without buying 250 licenses from Dropbox (for example)."
What do I have to do?
Google has very helpfully provided a suite of ready made agreements that can be signed directly via the admin portal of G Suite for Business in order to bring your company's G Suite implementation inside the Privacy Shield. The 3 minute video above shows you how to make your company's G Suite for Business implementation completely GDPR ready.
If you have any questions at all, you can always post them in the comments below or send an email via the contact form on this site.