New data protection rules – how does GDPR affect the vaping industry?

GDPR changes rules on data protection: You might be forgiven for a little fatigue when it comes to new regulation. The TPD in Europe, Deeming in the United States…it’s been tough to keep up with. But a new horizontal regulation in the EU will affect the way everyone does business, and that includes the vaping industry: the General Data Protection Regulation (GDPR).

GDPR will come into force next year, and it’s particularly important that companies who sell online take note, as they way that they process customer data likely needs a radical overhaul. Many are examining their procedures now in anticipation.

Key changes include:

  • International scope – for the first time, non-EU companies are within the scope of GDPR when they process the personal data of EU residents. That means US companies selling to European consumers need to pay attention too.
  • Consent for processing – Consent for data processing must be freely given by the subject, specific, informed and unambiguous. Requests for consent should be separate from other terms, and be in clear and plain language. A data subject’s consent to processing of their personal data must be as easy to withdraw as to give. Consent must be “explicit” for sensitive data such as addresses and credit card details.
  • Parental consent – parents must give consent for minors to receive information society services – a minor is considered to be anyone under 16 but Member States can lower that to 13 if they wish.
  • Information provided to data subjects – Data controllers must continue to provide transparent information to data subjects. This must be done at the time the personal data is obtained. However, existing forms of fair processing notice will have to be re-examined as the requirements in the GDPR are much more detailed than those in the current Directive. For example, the information to be provided is more comprehensive and must inform the data subject of certain of their rights (such as the ability to withdraw consent) and the period for which the data will be stored.
  • International data transfer – US companies selling on the web should take note: exporting personal data from the EU to third countries is strictly controlled. An outright ban on transfers to foreign regulators without approval did not survive the adopted text. That said, most routine transfers are prohibited and they can only take place when sufficient information is given to data subjects informing them of the specific risks of the transfer.

The deadline to get all of this implemented in May 2018, so if you’ve never heard of GDPR, now might be the time to take a look.,