avatarAimee Beck

Summary

The GDPR (General Data Protection Regulation) is a critical EU regulation that requires businesses worldwide to protect the personal data of EU citizens and provides those citizens with control over their data.

Abstract

The GDPR, effective from May 25, 2018, mandates that any business dealing with EU citizens' data, regardless of the company's location, must comply with stringent data protection standards. It aims to safeguard EU citizens' privacy and data, requiring explicit consent for data collection and processing. Non-compliance can result in hefty fines, up to 4% of annual global turnover or €20 Million. The regulation standardizes data protection laws across the EU, simplifying compliance for international businesses. Companies must now actively seek consent for data collection, including via cookies and tracking technologies, and be prepared to respond to data access and deletion requests. They also have a 72-hour window to report data breaches to authorities and affected individuals. A comprehensive privacy policy update is essential to communicate data handling practices transparently.

Opinions

  • The GDPR is seen as a positive step towards protecting individual privacy rights, giving EU citizens more control over their personal data.
  • Businesses may view the GDPR as challenging due to the high standards of compliance and the potential for significant penalties for breaches.
  • Some companies are embracing the GDPR as it creates a single standard for data protection across all EU countries, eliminating the complexity of dealing with multiple regulations.
  • The emphasis on explicit consent for data collection, including the use of cookies, is reshaping how websites obtain user permissions, with many sites now featuring consent pop-ups.
  • The requirement for a data breach response plan is considered a prudent measure to ensure businesses are prepared to handle security incidents effectively and responsibly.
  • The need for transparency in privacy policies is welcomed as it fosters trust between businesses and consumers by clearly outlining data collection and protection practices.

GDPR — Is Your Online Business Compliant?

If you work on the web (and we know you do), you may have heard the acronym GDPR bandied about online and in the news lately. If you do any business within the EU (European Union) or with businesses / individuals who reside in the EU, you need to be aware of this new regulation.

What is GDPR?

GDPR stands for General Data Protection Regulation. Adopted by the European Parliament in April 2016, it was set to go into effect May 25, 2018. It is a regulation that affects any businesses who transact in the EU or with EU citizens, where personal data is processed or held, regardless of where the company is located.

The purpose of the GDPR is to give European Union citizens control over their data, their privacy and the exportation of their data from the EU. Companies will not be able to rely on implied consent when dealing with EU citizens, when it comes to tracking them or collecting / holding data.

Unlike the previous directive on this topic, the 1995 Data Protection Directive, this regulation is enforceable throughout the 28 EU member states and around the world, and fines can be levied against companies who breach it, to the tune of 4% of annual global turnover for breaching GDPR or €20 Million. Of course, that is a maximum and the regulation offers a tiered approach to fines, depending on the severity of the breach.

Why should you care about the GDPR

Any business could be breaching the regulation by an act as simple as using cookies on their website to track the users actions, for analytics purposes, without formal consent. If your business has clients or even visitors to your website from the EU, you need to be in compliance with GDPR.

Personal data, as defined by the regulation, includes but isn’t limited to: “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” (Source)

The possibility of fines aside, many companies who do business in or with the EU are embracing this new regulation for the simple reason that it creates one standard for ALL EU countries. There’s no need to worry about varying regulations, from country to country. But the standards are high, so active steps to be in compliance are important for all companies to review.

Quick steps to becoming fully compliant with GDPR

  1. Start with a review of where your business asks for personal information from customers. If you’re not in the EU, this is likely limited to your website. Do you have an email marketing sign up form? An online form for other purposes? Do you collect email addresses or financial information for transactions / purchases? You need explicit consent from users to collect this information. And while the Canadian Anti-Spam Legislation (CASL) permits businesses to contact an existing customer for up to 2 years (implied consent), GDPR requires consent for EVERY contact (explicit consent).
  2. Are you tracking data on your site through cookies and / or social media (share buttons are an example of this)? IP addresses, for example, are personally identifiable so if you’re tracking these from your visitors, you need to ask for consent. It’s not enough to say “You’re consenting to data collection by using this site.” You may notice a lot more websites creating pop ups that state that the site collects cookies and requires the user to accept this (or not). This is active, explicit consent, as defined by the regulation.
  3. Do you have a plan for a data breach? If you are collecting personal data, you need to have a plan as to what you will do to protect it. If a user requests the data you have collected on them, you need to be able to a) provide it and b) delete it, at their request. You only have 72 hours, under the regulation, to notify authorities, as well as the affected parties, of a data breach.
  4. Revamp your privacy policy. You should be clearly stating on a page of your site:

— What data you collect?

— For what purposes?

— How the data is protected?

— Whether it is provided to third parties.

For more in-depth information on GDPR and how to ensure your business is compliant, check out this 12 step guide from the U.K. Information Commissioner’s Office.

Originally published at mediawisemarketing.com on May 22, 2018.

Privacy
Data Protection
Recommended from ReadMedium
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarSamantha-Kun
I Slept With All Kinds Of Men For 3 Years

And that's what I learned about them

4 min read
avatarUnbecoming
10 Seconds That Ended My 20 Year Marriage

It’s August in Northern Virginia, hot and humid. I still haven’t showered from my morning trail run. I’m wearing my stay-at-home mom…

4 min read
avatarMichelle Teheux
We Could Learn a Lot About Sex From the Dutch

My Dutch relative’s views shocked me, but I immediately realized she was right

6 min read
avatarKarolina Kozmana
Common side effects of not drinking

By rejecting alcohol, you reject something very human, an extra limb that we have collectively grown to deal with reality and with each…

10 min read
avatarAbhay Parashar
17 Mindblowing Python Automation Scripts I Use Everyday

Scripts That Increased My Productivity and Performance

14 min read