Disclaimer: This post and the information contained within in no way constitute legal advice. The post provides general information to make a website more complaint but does not guarantee compliancy.
What is GDPR?
The European Union (EU) General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in the 21st century (View documentation). GDPR officially went into affect on May 25, 2018. Its purpose is to protect all EU citizens from privacy and data breaches. GDPR applies to all “personal data”- any information that can be used to directly or indirectly identify a person (name, email, phone, home address, location, identification number, IP address, cookie ID, etc.).
GDPR’s primary purpose is to regulate the collection, use, and storage of an individual’s data. It aims to protect the rights of individuals in the European Union and to give them control over their personal data. Under GDPR, individuals have the right to be informed, the right to obtain and update their data, the right to be forgotten and erase their data, the right to object to and block the use of personal data, and the right to provide explicit consent. GDPR is all about consent, security, and transparency.
Who does GDPR affect?
Regardless of the company’s location, GDPR regulations apply to every company that processes personal data of individuals residing in the EU. GDPR applies to all companies who offer goods or services to EU citizens and any company who monitors the behavior of EU individuals.
In the future, these changes may go into affect closer to home. Following in the footsteps of GDPR, the California Consumer Privacy Act is set to go into effect January 1, 2020 (Learn More)
What are the penalties?
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or t€20 Million, whichever is greater. There is a tiered approach to fines. The maximum fines are imposed on the most serious infringements which include: not having sufficient customer consent to process data or violations of core Privacy by Design concepts. The minor fines impose a 2% fine on organizations that do not have their records in order or those who fail to notify a supervising authority of a data breach.
Who is responsible?
The data controller is the entity that determines the purpose, conditions, and means of processing personal data. The data processor is the entity who processes personal data on behalf of the controller. This means both the marketer and the platforms leveraged are responsible for protecting personal data (i.e. Facebook, Google, MailChimp, etc.).
Key Questions for the Business Owner
- What data is being captured? When and how is it captured?
- How long will the data be stored?
- How is the data being used?
- Do you have explicit consent from the user to have and use the data in this way?
- Do you display who to contact to find out what data is being held and how it is being used? Do you have a process for a user to remove their data and end-use?
- What is your process in case of a data breach?
- Are all your connected systems compliant?
What are the key GDPR changes?
Here’s a list of the key changes associated with GDPR:
- Consent: The request for consent must be given in an intelligible and easily accessible form with the purpose of data processing attached to that consent (no illegible legal terms). It must be GD easy to withdraw consent as it is to give it.
- Breach Notifications: Breach notifications are mandatory and must be done within 72 hours of becoming aware of the breach.
- Right to Access: The individual has the right to obtain information from the data controller as to how their data is being processed, where, and for what purpose. The controller is required to provide a copy of data in electronic format, free of charge.
- Right to be Forgotten: Individuals have a right to direct the data controller to delete their data, cease further use, and to have third parties cease processing of the data.
- Data Portability: The individual has a right to receive their personal data.
- Privacy by Design: This concept requires that data protection is integrated into the initial design of the system, rather than an addition. All appropriate technical and organizational measures must be implemented in an effective way. Organizations are required to only process the data when absolutely necessary and to limit access to the personal data to only those who need it for processing.
Here are a few items to consider from an operational standpoint:
- Research, learn how GDPR impacts your business, and train your staff accordingly.
- Audit your data – What data do you collect? Why? How is it used? How is it stored? Is it secure? Who has access?
- Audit all forms – Ensure that you always request consent and make sure all opt-in boxes are unchecked by default. Also, limit the data collection to absolutely necessary information and remove all extraneous or “nice-to-have” data fields.
- Plan for a potential data breach and be able to report a breach within 72 hours of the incident.
- Audit your email marketing – Always get consent from the user for a subscription and make it easy for them to unsubscribe.
Here are a few items to consider on your website:
- Email subscribers provide explicit consent to add their email to your email list. The email opt-in box must be unchecked by default. Always include an unsubscribe link.
- An SSL Certificate that secures your website and securely encrypts all the details that are entered into any forms or fields on the website.
- Pseudonymization or anonymization for all users who sign into the website.
- For payment gateways in the US, ensure that they are Privacy Shield Compliant.
- All contact form submissions must be stored in an encrypted database.
- All email data must be stored securely and unnecessary emails are deleted. You must enable the anonymization option in Google Analytics (no IP addresses).
- Ensure that your third-party tools (i.e. email marketing account, plugins. etc.) comply with GDPR.