What is GDPR?

In May 2018 the General Data Protection Regulation (GDPR) went into effect. The GDPR is one set of data protection rules for all companies operating in the European Union (EU), wherever they are based. It is the latest in a series of EU parliamentary measures designed to put the highest levels of protection around personal data. Recognizing that data can travel well beyond the borders of the EU, GDPR provides protection to EU citizens no matter where their data travels. This means that any company, anywhere, that has a database that includes EU citizens is bound by its rules. Businesses of all sizes are affected — from micro to multinational. No one is exempt.

In order to comply, US based companies must have processes in place to ensure compliance.  Companies must ensure that customers have control over their data by including safeguards to protect their rights.

• Breaches can cost companies up 20 million Euros or up to 4 percent of their annual global turnover. Some infractions are less expensive but still represent a significant penalty.
• Consent must be given in an easy-to-understand, accessible form, with a clear written purpose for the user to sign off on, and there must be an easy way for the user to reverse consent.
• Any data breach that is likely to “result in a risk for the rights and freedoms of individuals” must be reported within 72 hours of its discovery. Data processors will also be required to notify their customers “without undue delay” after first becoming aware of a data breach.
• This includes the data subject’s right to get copies of their data and information on how it’s being used and the right to be forgotten, also known as Data Erasure.
• It will also allow customers to move their data from one service provider to another.

Does this affect my business?

If you answer yes to any of the following questions, then Yes, it affects you.

1. Do you have a shopping cart on your website?
2. Do you use cookies? If your website was built using WordPress, then Yes, you use cookies. Many popular third party plugins also use cookies including YouTube, Facebook, and Yoast SEO.
3. Do you have a form on your website that collects personal data such as a contact form or a request for quote form?
4. Do you use Google Analytics?

Once you’ve determined that your organization needs to comply with the GDPR, where do you start with your compliance efforts? You must add a privacy policy to your website and if you already have one, make sure it is updated.

What Is a Privacy Policy?

A privacy policy is a document that you publish informing people how you gather, use, share, and manage their personal data. The GDPR imposes significant new requirements on what data controllers must disclose in their privacy policies. The specific items that must be addressed can be found in Articles 12-14 of the GDPR.

According to the European Commission here are the guidelines:

1. Use plain language.
2. Tell them who you are when you request the data.
3. Say why you are processing their data, how long it will be stored and who receives it.
4. Get their clear consent to process the data.
5. Collecting from children for social media? Check age limit for parental consent.
6. Let people access their data and give it to another company.
7. Inform people of data breaches if there is a serious risk to them.
8. Give people the ‘right to be forgotten’. Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research.
9. If you use profiling to process applications for legally-binding agreements like loans you must:
   • Inform your customers;
   • Make sure you have a person, not a machine, checking the process if the application ends in a refusal;
   • Offer the applicant the right to contest the decision.
10. Give people the right to opt out of direct marketing that uses their data.
11. Use extra safeguards  for information on health, race, sexual orientation, religion and political beliefs.
12. Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities.

For help adding a privacy policy to your site, contact us at 815-459-0482.