Our Response to GDPR

I have been reading all the articles (and the storm of emails in my inbox) on European GDPR privacy rules implementation with some dispassion.  After all, it does not affect me, right?  I run a camping business all in the US.  But then I got to thinking about it and realized that I had three avenues of exposure  -- my blogs, my jobs mailing list, and my company web site.  I will preface this by saying that I am no expert and I am not really hugely at-risk, but perhaps this will be useful to someone.  More importantly, if you ARE an expert and see something I am screwing up please email me!

The blog exposure strikes me as pretty narrow, particularly since we do not serve up advertisements (except in the comments via Disqus) and do not have a mailing list.  I don't store or have access to any user data (though I wonder if server logs count?) so I assess my main liability as secondary if Disqus screws up something.  I have been reading Disqus's updates and I would evaluate them as working on it but not done.  I suppose if the EU wants to come after me for "up to 4%" of this site's revenue they are welcome to do so.  Sort of like when I was unemployed being told to spend 2 months salary on my wife's engagement ring  (which in fact I did exactly, since it was my mom's ring given to me as a gift for the purpose).

Similarly, I think my liability surrounding the mailing list we maintain for job openings is pretty limited.  First, it would shock me if more than 0.0001% of the people on that list are in Europe, since I can't really legally hire Europeans in most cases and it is unlikely they will drive their RV over here to work in a campground.  More importantly, all the names are there through what I would call extreme opt-in -- they have to click on a special link and go sign up on a dedicated page just to join the mailing list.  The email provider is Constant Contact so again my liability is likely limited to whether they screw anything up in their compliance, but this is probably unlikely in my case.  Again there is no advertising and all people on the list ever get are notifications of new job openings and links where to apply.

Which brings me to our business web site.  There is no log-in or user information entered or advertising on our web site, so we are mostly fine.  With one large exception -- we have our own reservations site that gathers and stores customer reservation information.  Eek!  That sounds like it could be a problem.  The most dangerous piece of data we could potentially have in our hands is a credit card number, which is why our system was set up so our company never has the credit card number in our possession.  Customers are passed over to Stripe (highly recommended company, by the way) who handle all that dangerous stuff on their servers, and just pass us back a confirmation.  But we do have customer name, address, email, and camping stay dates on our server.  Maybe we are compliant already -- we treat that stuff with a lot of care.  Maybe we are not.  But since we really don't get any reservations at all from Europe, it was easier just to go black there, so right now my software guy is working on blocking traffic from European IP addresses.

Postscript:  On some of my posts, people write me and ask, "Why did you even bother to publish that."  And my answer is that I often write to think, so it may be that it is only for my own benefit.  My software guy is a reader of this blog and was probably laughing as he read this post because I stopped a couple times in writing it to fire off new questions or requests to him.

Update:  Hah, what timing!   This just appeared on my blog when I scrolled down to the comments so I guess Disqus must indeed be working on this.

6 Comments

  1. morganovich:

    and in this weeks episode of "the 28 stooges" we see the EU once more attempt to swat a fly on its forehead using a sledgehammer...

    if i were google, i'd just let the EU go dark. all access to gmail accounts from the eu is suspended. search engine? not available. maps.
    nope. replace them all with a splash screen that says "sorry, your laws no longer allow products like gmail and google search. if you value them at more than this sham of privacy you are being offered, we suggest you drop a line to (insert list if eu bureaucrats contact info). we'd love to come back. we miss you. but we don't do abusive relationships..."

    knuckling under to this is a grievous long term error. it might be the right thing for next q, but for 3 years from now? it's death. you just cannot let this camel get its nose under the tent. this is appeasement. the history of that working in europe is not so great...

  2. Geoff Jones:

    More to the point who is going to enforce the regulation :-) Pity that Europeans won't be allowed to access your reservations though. some thoughts here:-
    https://twitter.com/nickstenning/status/999914140431929344

  3. Joshua:

    Why would you have to comply in the first place? Your servers are in US right? You don't do business in Europe, so how could they come after your company?

  4. antognini:

    > I suppose if the EU wants to come after me for "up to 4%" of this site's revenue they are welcome to do so.

    The fines are 4% of global revenue or $20 million, *whichever is greater*. So, they could fine you up to $20 million. (As long as you don't do business in Europe or visit enforcement might be another matter.)

  5. ErikTheRed:

    If only. Just like the auto manufacturers playing emission testing games with diesel engines rather than just fighting it out at the moment.

    The problem is that a significant percentage of people actually believe the EUrocrats are the "good guys." In the current environment of tech companies playing faster and looser with personal information than people are comfortable with, they'd rather go crying to mommy than say, for instance, use a different search engine, be circumspect with social media usage, pay for email services, etc. It's a sad and pathetic situation, but there's a heavy political price to pay for fighting the fight and few companies and executives will ever have the stomach for that. A younger, more brash Steve Jobs might have told them where to shove it but nobody in Valley leadership right now is willing to go there - they're all jumping in bed with the governments (especially Google).