What does the General Data Protection Regulation (GDPR) mean for you?
We’re confident you’re received a number of privacy policy update emails, but do you know why and how this might impact your website and communications? Here’s our attempt at a synopsis and if GDPR impacts you.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU) and also regulates the exportation of personal data outside the EU. This new set of rules is designed to give EU citizens more control over their personal data. But this law affects any organization doing business with or collecting information from an EU citizen.
What do you mean by “personal data”?
Your name, address, credit card number and more all collected, analyzed and, perhaps most importantly, stored by organizations. The types of data considered personal under the existing legislation include name, address, and photos. GDPR extends the definition of personal data to cover:
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Does it affect my company or organization?
If you hold any EU citizen data via your website, app, or service you MUST act now (in fact you’re super late to the party). All organizations are expected to be compliant with GDPR as of May 25, 2018.
If you have international reach with your website, social, email – really any online media, you should probably still pay attention to GDPR and take some action.
What happens if I don’t comply?
There is a fine for not being compliant. The maximum fine for noncompliance with the GDPR is up to 4% of the annual global revenue generated by the company.
So, what do I need to do?
- Get permission of data collection.
The GDPR requires companies to clearly state the purposes of data collection to the customer, when and how it will be used, and when it will be destroyed. It cannot be hidden in a privacy policy statement nor recorded by default. If you are collecting data from a form page then you must ask customers to give consent to use their personal information. (unless it is for compliance with a legal obligation). And the data cannot be kept indefinitely.
- Protect the data that is collected.
Make sure your company has the proper security measures in place should be first on your task list. Contact your IT administrator, find out what you need to have in place to be compliant, and then create a protection plan.
- Inform all persons of a data breach.
Your company must inform victims individually of any breach within 72 hours.
- Respond to data collection requests.
Any customer can request what type of data is being collected and stored about them (Right to Portability), as well as the right to request that it be deleted (Right to Erasure).
Here’s what a lot of other companies and organizations have been doing:
- Updating their privacy policy on their website.
- Adding notices about personal data collection on all form pages.
- Emailing their updated privacy policy to current customers, and providing opt out requests for email lists, etc.
- Adding an opt in on websites addressing acknowledgement of data collection
If you are concerned that you may not be GDPR compliant, please contact your lawyer to help guide you.
Online Resources: