What is GDPR?
In May 2018 the General Data Protection Regulation (GDPR) went into effect. The GDPR is one set of data protection rules for all companies operating in the European Union (EU), wherever they are based. It is the latest in a series of EU parliamentary measures designed to put the highest levels of protection around personal data. Recognizing that data can travel well beyond the borders of the EU, GDPR provides protection to EU citizens no matter where their data travels. This means that any company, anywhere, that has a database that includes EU citizens is bound by its rules. Businesses of all sizes are affected — from micro to multinational. No one is exempt.
In order to comply, US based companies must have processes in place to ensure compliance. Companies must ensure that customers have control over their data by including safeguards to protect their rights.
- Breaches can cost companies up 20 million Euros or up to 4 percent of their annual global turnover. Some infractions are less expensive but still represent a significant penalty.
- Consent must be given in an easy-to-understand, accessible form, with a clear written purpose for the user to sign off on, and there must be an easy way for the user to reverse consent.
- Any data breach that is likely to “result in a risk for the rights and freedoms of individuals” must be reported within 72 hours of its discovery. Data processors will also be required to notify their customers “without undue delay” after first becoming aware of a data breach.
- This includes the data subject’s right to get copies of their data and information on how it’s being used and the right to be forgotten, also known as Data Erasure.
- It will also allow customers to move their data from one service provider to another.
Does this affect my business?
If you answer yes to any of the following questions, then Yes, it affects you.
- Do you have a shopping cart on your website?
- Do you have a form on your website that collects personal data such as a contact form or a request for quote form?
- Do you use Google Analytics?
According to the European Commission here are the guidelines:
- Use plain language.
- Tell them who you are when you request the data.
- Say why you are processing their data, how long it will be stored and who receives it.
- Get their clear consent to process the data.
- Collecting from children for social media? Check age limit for parental consent.
- Let people access their data and give it to another company.
- Inform people of data breaches if there is a serious risk to them.
- Give people the ‘right to be forgotten’. Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research.
- If you use profiling to process applications for legally-binding agreements like loans you must:
- Inform your customers;
- Make sure you have a person, not a machine, checking the process if the application ends in a refusal;
- Offer the applicant the right to contest the decision.
- Give people the right to opt out of direct marketing that uses their data.
- Use extra safeguards for information on health, race, sexual orientation, religion and political beliefs.
- Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities.