As I’ve been working a good amount on GDPR over the past few long months, there are a few areas of Fear Uncertainty and Doubt (FUD) around the subject area to which there really aren’t enough sensible posts.
So I’m attempting to make one such sensible post, in relation to a response I’ve seen in a few places, to the EU Regulations, which came into force on 25 May 2018.
I’ve seen a few commentators, some of whom should know better, saying that blocking, banning or removing EU customers (or just web visitors) from their website or service, is how they are going to deal with GDPR.
This is not a good response to the regulation at all, for several reasons:
- Not everyone in the EU is an EU citizen – you might be blocking people on vacation, who wish to use your product or service from abroad;
- EU Citizens may sometimes travel outside of the EU – and you still need to respect their Right to Privacy when they do;
- GDPR really isn’t that onerous – and its likely that similar regulation will be hitting a jurisdiction near you… its only a matter of time… (thank Cambridge Analytica and Facebook for pushing down your Government’s right foot on the accelerator on that one)
So this can be boiled down to a two-parter:
- Whatever mechanism you come up with to block or bar EU citizens, won’t work;
- What’s wrong with demonstrating respect for Privacy Rights, even if your Government hasn’t (yet) passed a law enshrining these Rights?
Further, its bad PR
As consumers become more aware of the rights other sites and services respect, you’re going to look a little odd saying “We’re banning EU citizens from out site! Yay!” Your non-EU customers might view this with a little bit of scepticism and say “hmm, what are you doing with our data”
I don’t particularly like the “if you have nothing to hide you have nothing to fear” line of reasoning, as this is often used to shoe-horn through all kinds of Snoopers’ Charters, but transparency in your business dealings is rarely a bad thing.
What are you doing with your customers’ data that you wouldn’t be comfortable telling them about?
I’ve said before that GDPR is really saying two things in relation to personal data.
- Don’t be creepy;
- Don’t be sneaky.
If you think of GDPR like this, then, if your response to the Regulation is that you would like to ban all EU citizens from your service so you don’t have to respect their rights, then you’ll need to convince everybody else who does use your service that you aren’t being sneaky or creepy.
Lots of companies based in the US are engaging fully with GDPR and looking to build respect for privacy and personal data into their processes and policies. Get on board with this idea: that people now have a Right to Privacy; and they have a Right to have their Personal Data Protected. Its only a matter of time before this hits a jurisdiction near you, at which point, you’ll wish you’d already done it.
So if the reason you are thinking about banning or blocking people whose IP addresses mark them out as being physically located in the EU (see how this is not an effective block?!), then I would ask this question: what is it about GDPR which makes you want to take this fairly drastic step?
Please do leave a comment below.