We live in the age of data collection. From email addresses and usernames to birthdates and locations, sharing personal information has become the norm. Try to buy something online and not share any personal information. Unless you’ve taken the time to master the world of cryptocurrencies, without a name, mailing address, and credit card number, your order won’t make it very far.
You’ve probably wondered about what actually happens when you click submit and share that information. Does the company store it? If so, how? Is it safe? Do they share the information with other organizations? Will they delete it if you ask them?
And what about your own business or organization? How do you store the personal data of the individuals who visit your website, submit inquiries or place orders?
With the complexity of modern data systems and hyper-connectivity, the answer is not always clear.
The European Union (EU) is working to change that. As of May 25, 2018, the EU has put a new legal framework into place that sets strict guidelines for the collection and processing of personal information. The rule is called the General Data Protection Regulation, or GDPR for short.
You may be thinking, “My business is not based in the European Union so this doesn’t have anything to do with me.” But for organizations and businesses outside of the EU, it is not that cut and dry. If you offer goods or services to customers or businesses in the EU or monitor the online behavior of people living in the EU, the rule most likely impacts you.
Does the GDPR apply to me?
According to HubSpot, while the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
An overview of GDPR
GDPR rewrites how internet data sharing works in the EU. The law was designed to better protect user data and provides strict guidelines on what companies can do with a user’s private information. As a result, internet users have more control over how their data is collected and used.
As outlined in ZDNet’s article, “What is GDPR? Everything you need to know about the new general data protection regulations,” under the terms of GDPR, not only will organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
The law covers any type of information that can identify a person. Examples include first and last names, usernames, phone numbers, email addresses, birthdates, IP addresses, and location data. For companies that don’t comply with the new rule, they face significant fines, including up to 4% of the company’s worldwide annual revenue, or $20 million euros (approximately $23,317,900 American dollars), whichever is greater.
This video from the Wall Street Journal gives an excellent overview of GDPR and we recommend taking a few minutes to watch it.
As a US-based business, what do I need to do to comply?
Each organization and situation is different and what you need to do to comply won’t be the same as your neighbor. It all depends on how you collect, store and use data. Action steps you should consider:
- Review your policies and procedures: Document or develop strict policies and procedures for handling personal data. What does your business do with the data you collect? How is it stored? Do you share it? Clearly outline with as much detail possible your data collection, storage, and usage strategies. These specifics will allow you to demonstrate compliance with the new law.
- Inform your audience: As Claire Brotherton points out in her article, “Is Your Website GDPR Compliant? How to Get Ready for the General Data Protection Regulations,” creating or updating your privacy policy so that it clearly articulates what personal data your business collects and how those data are used is an important step. Clearly post this on your website. Keep it brief and easily understood. Additionally, you must have breach notification processes in place, that alert individuals and authorities to any type of data breach within 72 hours.
- Develop legal justification for data collection: All personal data processing must have a legal justification. Look for ways to minimize the collection of personal data. Avoid long contact forms that collect info just because. Only collect data you are going to use and have developed clear policies and procedures to support.
- Develop internal processes for deleting a user’s information: According to Ivana Kottasová’s CNN article, under GDPR, anyone can ask for their personal information to be deleted from a company’s servers. How will you communicate to users that their information has been deleted? Have a procedure in place for accepting delete requests (e.g., a submission form) and a policy for carrying out the data removal.
- Strengthen your email list privacy etiquette: Ensure you are using good email list privacy etiquette. Include opt-ins and easy unsubscribe options so that people clearly know they are subscribing and can also easily unsubscribe at any time.
Want more ideas? Medium has created a helpful 11-step checklist to make your business and website GDPR compliant.
Additionally, it is worth noting: If your site is hosted on Joomla or WordPress, both platforms are changing their core to accommodate this law. But even with these changes, there will likely be additional steps you need to take in order to be compliant. More on Joomla’s Privacy Tool Suite and WordPress privacy and maintenance release. Both provide more details related to GDPR updates.
The final GDPR word
GDPR has arrived, and if your business works with anyone or any data from the EU, you need to take action. As you think through GDPR and its impact on your organization, remember these main focus areas:
- Processing: Define your company’s rules about how personal data will be processed.
- Secure your data: Ensure you have mechanisms in place that protect an individual’s privacy.
- Breach notification: Develop a process for informing individuals (and the authorities) about data breaches.
- Right to access: Adhere to requests for access to personal information.
- Right to be forgotten: Ensure individuals can be removed from your records.
- Consent: Ensure individuals can opt-in before you gather any type of data.
- Due process: Ensure you have defined procedures to follow and individuals responsible for putting them into action.
At the end of the day, GDPR was put in place to better protect a web user’s personal information. As consumers, we should appreciate the motives behind the rule. As businesses collecting information, we need to do our best to keep user data safe and accessible to the individual.
Additional Resources:
- Why GDPR affects everyone – not just IT
- What US-Based Companies Need To Know About The GDPR, And Why Now?
- 4 Steps to Make Your Website GDPR Compliant
- GDPR Information Portal
- Full Documentation of the Regulation
Disclaimer: This information is offered as background information and does not constitute legal advice. You should not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider.