Racing To Comply: How The New GDPR Internet Privacy Rules Affect Trainers And Other Equine Professionals

  Racing To Comply: How The New GDPR Internet Privacy Rules    Affect Trainers And Other Equine Professionals       By Peter Sacopulos, Esq.        The Great Privacy Policy Alert   As the summer of 2018 began, every company doing business on the internet appeared to have developed a new user privacy policy overnight. Service providers, search engines, social media platforms, news sites, online retailers and others bombarded Americans with emails and pop-ups, urging users to review the new policies immediately and adjust their personal privacy settings accordingly. There is no official count of how many consumers dutifully clicked on links, doggedly read new rules, and deliberately updated their individual privacy preferences, or how many simply shrugged, ignored the alerts, and went on with their online lives.     Some who wondered what all the fuss was about may have thought the new privacy policies had something to do with recent headlines about corporate data breaches. Others may have associated them with the fallout of 2016’s US presidential election and UK Brexit referendum, after which reports emerged of foreign meddling online and a political consulting firm stealthily collecting data from tens of millions of Facebook users without their permission. (Criminal investigations are ongoing.) But many internet users knew the truth: the renewed focus on privacy was far from sudden and was the result of a European Union law known as the General Data Protection Regulation, that had been passed in 2016 and took effect on May 25, 2018.      The General Data Protection Regulation   Even though it is a European law, the General Data Protection Regulation (or GDPR) has implications for Americans who use the internet to conduct their business. Horse trainers and other equine professionals are no exception. This article will address the basics of GDPR, how it affects American businesses, and the primary steps your business should take to achieve and maintain GDPR compliance. Make no mistake, spending the time and effort to do so now will go a long way toward avoiding legal headaches and financial penalties in the future.     Privacy policies exist to protect personal data. Personal data is defined by the European Union as: “…any information that relates to an identified or identifiable individual….” It includes: “…Different pieces of information, which collected together, can lead to the identification of a particular person….” In short, any form or combination of information that can tell others who you are is personal data. In the US, personal data is also referred to as personally identifiable information (PII) or sensitive personal information (SPI).     Personal data typically includes information that can allow others to locate, contact or monitor you. Examples of personal data include your first and last name, home address, email address, telephone number as well as an identification card number, such as your social security number, driver’s license number or passport number. In the digital age, it can also take far more subtle forms, including some you may not have even realized, such as your Internet Protocol (IP) address, your mobile phone location data or a “cookie” ID on your computer. Personal data does not include anonymous information, such as that found in statistics.      The Big Question   The General Data Protection Regulation is based on the answer to this increasingly important question: Who owns an individual’s personal digital data?     In the United States, the answer to that question is still being debated and, some privacy advocates would go so far as to say, avoided. But the countries that make up the European Union (EU) and the European Economic Area (EEA) have determined that, when their citizens are concerned, every individual owns his or her personal data, wherever it may appear online and however it may be gathered and used by others. The GDPR enshrines this principle of personal data ownership in law. It grants specific data privacy rights to individuals and sets out rules that businesses must follow when dealing with a consumer’s data. It mandates harsh financial penalties for businesses that violate those rules, along with strict notification standards whenever a business suffers a data breach.      The American Question   The first question most Americans will ask about the GDPR is obvious. Why would an American citizen doing business in the United States need to worry about complying with a European law?     Like nearly all businesses in the digital age, the vast majority of the Thoroughbred racing community routinely conducts business on the internet. And therein lies the answer to the American GDPR compliance riddle. The web truly  is  worldwide and that means your website, and any and all social media platforms you use (such as Facebook, Instagram, YouTube, Snapchat, Twitter and any Thoroughbred-biz-specific websites and platforms), are as easily accessed in Europe as they are in America. In the course of conducting business online, you can come into contact with a European citizen as easily as you do an American citizen.     The General Data Protection Regulation clearly states that when any business entity, based in any location, deals with a European citizen’s data, GDPR rules apply. But there are some important exceptions. If a European citizen’s data is collected while the individual is not physically in Europe, that data is not governed by the GDPR. If, for example, a German visiting America takes an online marketing survey while in New York and offers up personal information in the process, only American regulations regarding the use of that data would apply.     The GDPR also takes intentionality into account. Basic, broad-based, generic marketing materials are exempt from the law. If an Italian citizen who has in interest in Thoroughbred training happens across the English-language website of an American horse trainer whose services are only offered in the US, the GDPR does not come into play. But if an American trainer’s site appears to target European citizens, gathers information on them, or seeks to do business with them, GDPR rules do apply.      Time and Money   From a business perspective, investing the time, cost, and effort it would take to maintain totally separate online entities, presences, and accounts for the United States and Europe due to variations in privacy regulations is likely to be a losing proposition. That’s why major US-based internet players have concluded that complying with the stricter GDPR rules makes business sense. It is also why they started sending all those new privacy policy notices several months back.     The Thoroughbred racing industry is a global endeavor as well, and many trainers, owners, jockeys, and other participants either already do business on both continents or want to expand their opportunities by doing so. If you are an American-based trainer with any interest in working on the European circuit, GDPR compliance is a must.      A Digital Bill of Rights   The core data privacy rights that the GDPR grants to individuals and requires businesses to protect are: 1.) Consent and the Right to Object; 2.) Data Deletion and the “Right to be Forgotten;” 3.) Restriction of Processing; and 4.) Data Portability.      Consent and the Right to Object   Individual internet users (referred to as “data subjects” in European terminology) have the right to consent prior to the gathering and use of their personal data by an online entity. This rule applies to online tracking, user profiling, and the receiving of marketing communications. A consumer may refuse or withdraw consent at any time. Think of this as the “ask permission first” rule. According to the GDPR, consent has to be: “…freely given; informed; unambiguous; and demonstrated by clear affirmative action….” In other words, you must ask for and receive their expressed permission before tracking individuals online, sending them digital marketing messages, or creating a profile that incorporates their personal information or online behavior.     For example, you decide to begin sending a quarterly marketing email newsletter that promotes your skills and successes as a trainer. Before doing so, you must obtain permission from the individuals on your mailing list. If someone informs you that they do not wish to receive your newsletter, you cannot send it to that person. If an individual agrees to receive the emails but eventually informs you that he or she wishes to stop receiving them, you must cease delivery in a timely fashion.      Data Deletion and the “Right to be Forgotten”   You have probably heard the expression, “the internet is forever.” This refers to the fact that once information appears publicly online, it is extremely difficult to remove permanently, even if a concerted effort is made to do so.     Data Deletion and the Right to be Forgotten holds that individuals have the right to request their personal data be deleted from all internet-related locations, including back-ups, that may have been moved offline. A customer who wants to sever ties with an online retailer, for instance, may demand that his or her shopping history be deleted from the company’s records, along with any public-facing product reviews the customer has posted over the years.     Once instructed to delete data, a business must do so in a timely manner. For example, you use Instagram to post photos of a horse you have trained. Someone who posted a comment on a photo may decide their comment was inappropriate and request that it be removed. Even though they posted the comment to your account, the comment is data that belongs to them, and you will need to comply with their request.      Restriction of Processing   Individuals can also request that a business stop accessing and/or modifying their personal data. This is known as Restriction of Processing. In other words, a business can still store that individual’s personal data, but cannot do anything with it, including editing, updating, selling or sharing the information. Additionally, the company must lock down the data, securing it in all forms, including non-digital formats. The business may only access the data again if and when the consumer grants permission.     A consumer that has a billing dispute with an online retailer could invoke Restriction of Processing, “freezing” his or her data until the dispute is resolved satisfactorily. Or an owner who is entering a Thoroughbred in a match race could request a trainer stop accessing his personal data until the race is over.      Data Portability   Data Portability is the fourth cornerstone of the GDPR. It requires online businesses to make an individual’s data available to that individual upon his or her request. The business must provide the data in a structured, commonly used, computer-readable format that allows the individual to move their data to other companies as they wish.     Consider a couple applying for a mortgage. They may request their personal data from the mortgage company and share it with other lenders in order to speed the process of getting competitive quotes. Likewise, the owner of a Thoroughbred that you have trained may decide to sell the animal and request digital records from you that can be forwarded to potential buyers.      Respect and Essential Steps   The key to complying with the GDPR is respecting your prospects’ and customers’ privacy. Given how famously private, or perhaps more accurately, secretive, horse trainers are, that should come naturally.  The amount of effort trainers and other equine professionals will need to make regarding GDPR compliance will depend on the reach, scope, and sophistication of their online operations. If you do business in Europe, send digital marketing communications, track customers or prospects online, sell items online, profile users, or directly host advertisers on your website who do, your distance to the finish line will be longer than a trainer who, say, runs a one-person business with the help of a website or a Facebook page and occasionally exchanges business emails.   Compliance, Large and Small   If you are running a large operation with substantial online components, it is vital that you work with relevant vendors and employees, making the most of their skills and expertise in order to meet your compliance goals. Coordinating the efforts of your IT, sales and marketing team, and legal advisors is essential. Of course, if you are running a business operating with a high degree of digital sophistication, I assume you are already well aware of the GDPR and well on your way to compliance.  If, instead, you are running a smaller operation, you need to evaluate whether or not the General Data Privacy Rules apply to your business. If you are collecting personal data from European citizens, you are acting as what the GDPR calls a “Controller.” The vendors you use to support your online efforts are known as “Processors.” (Think of Facebook hosting your page, or GoDaddy hosting your website, or Emma handling your email marketing efforts.) Processors are also responsible for privacy compliance. All of your processors should be offering both online advice and a suite of tools you can use to ensure compliance. Familiarizing yourself with their offerings and making use of them is an excellent start.  If you have retained independent contractors to deal with tasks such as building and managing your website or your online marketing, set up meetings with them and ask for their advice and assistance. If you feel you need more help, plenty of companies are offering their services to help bring businesses into compliance. If you choose to go this route, be sure to do your homework. Choose a reliable company that can provide references and a proven track record.   The GDPR is designed to preserve individual rights, protect privacy, prevent abuses by large tech firms, and combat criminal hackers and scammers. It does not excuse smaller businesses from their responsibilities when dealing with personal data. Doing your due diligence and making a good faith effort to comply will keep you from getting crossways with regulators. Better still, it will let your clients and potential clients know that you deserve their trust and are capable of maintaining their privacy. In the world of Thoroughbred racing, that is as good as gold.

By Peter Sacopulos

The Great Privacy Policy Alert

As the summer of 2018 began, every company doing business on the internet appeared to have developed a new user privacy policy overnight. Service providers, search engines, social media platforms, news sites, online retailers and others bombarded Americans with emails and pop-ups, urging users to review the new policies immediately and adjust their personal privacy settings accordingly. There is no official count of how many consumers dutifully clicked on links, doggedly read new rules, and deliberately updated their individual privacy preferences, or how many simply shrugged, ignored the alerts, and went on with their online lives.

Some who wondered what all the fuss was about may have thought the new privacy policies had something to do with recent headlines about corporate data breaches. Others may have associated them with the fallout of 2016’s US presidential election and UK Brexit referendum, after which reports emerged of foreign meddling online and a political consulting firm stealthily collecting data from tens of millions of Facebook users without their permission. (Criminal investigations are ongoing.) But many internet users knew the truth: the renewed focus on privacy was far from sudden and was the result of a European Union law known as the General Data Protection Regulation, that had been passed in 2016 and took effect on May 25, 2018.

The General Data Protection Regulation

Even though it is a European law, the General Data Protection Regulation (or GDPR) has implications for Americans who use the internet to conduct their business. Horse trainers and other equine professionals are no exception. This article will address the basics of GDPR, how it affects American businesses, and the primary steps your business should take to achieve and maintain GDPR compliance. Make no mistake, spending the time and effort to do so now will go a long way toward avoiding legal headaches and financial penalties in the future.

Privacy policies exist to protect personal data. Personal data is defined by the European Union as: “…any information that relates to an identified or identifiable individual….” It includes:  “…Different pieces of information, which collected together, can lead to the identification of a particular person….” In short, any form or combination of information that can tell others who you are is personal data. In the US, personal data is also referred to as personally identifiable information (PII) or sensitive personal information (SPI).

Personal data typically includes information that can allow others to locate, contact or monitor you. Examples of personal data include your first and last name, home address, email address, telephone number as well as an identification card number, such as your social security number, driver’s license number or passport number. In the digital age, it can also take far more subtle forms, including some you may not have even realized, such as your Internet Protocol (IP) address, your mobile phone location data or a “cookie” ID on your computer. Personal data does not include anonymous information, such as that found in statistics.

The Big Question

The General Data Protection Regulation is based on the answer to this increasingly important question: Who owns an individual’s personal digital data?

In the United States, the answer to that question is still being debated and, some privacy advocates would go so far as to say, avoided. But the countries that make up the European Union (EU) and the European Economic Area (EEA) have determined that, when their citizens are concerned, every individual owns his or her personal data, wherever it may appear online and however it may be gathered and used by others. The GDPR enshrines this principle of personal data ownership in law. It grants specific data privacy rights to individuals and sets out rules that businesses must follow when dealing with a consumer’s data. It mandates harsh financial penalties for businesses that violate those rules, along with strict notification standards whenever a business suffers a data breach.

The American Question

The first question most Americans will ask about the GDPR is obvious. Why would an American citizen doing business in the United States need to worry about complying with a European law?

Like nearly all businesses in the digital age, the vast majority of the Thoroughbred racing community routinely conducts business on the internet. And therein lies the answer to the American GDPR compliance riddle. The web truly is worldwide and that means your website, and any and all social media platforms you use (such as Facebook, Instagram, YouTube, Snapchat, Twitter and any Thoroughbred-biz-specific websites and platforms), are as easily accessed in Europe as they are in America. In the course of conducting business online, you can come into contact with a European citizen as easily as you do an American citizen.

The General Data Protection Regulation clearly states that when any business entity, based in any location, deals with a European citizen’s data, GDPR rules apply. But there are some important exceptions. If a European citizen’s data is collected while the individual is not physically in Europe, that data is not governed by the GDPR. If, for example, a German visiting America takes an online marketing survey while in New York and offers up personal information in the process, only American regulations regarding the use of that data would apply.

The GDPR also takes intentionality into account. Basic, broad-based, generic marketing materials are exempt from the law. If an Italian citizen who has in interest in Thoroughbred training happens across the English-language website of an American horse trainer whose services are only offered in the US, the GDPR does not come into play. But if an American trainer’s site appears to target European citizens, gathers information on them, or seeks to do business with them, GDPR rules do apply.

TO READ MORE —

BUY THIS ISSUE IN PRINT OR DOWNLOAD -

Breeders’ Cup 2018, issue 50 (PRINT)

$6.95

Pre Breeders’ Cup 2018, issue 50 (DOWNLOAD)

$3.99

WHY NOT SUBSCRIBE?

DON'T MISS OUT AND SUBSCRIBE TO RECEIVE THE NEXT FOUR ISSUES!

Print & Online Subscription

$24.95

Osteochondrosis - genetic causes and early diagnosis

Ride & Guide - our guide to what horses can run in

0