As you’ve likely heard in the news and online by now the GDPR or General Data Protection Regulation takes effect May 25th 2018. In this post we’re going to simplify the topic and learn What You Need To Know About The GDPR and how it affects your business.
The GDPR is an EU regulation that aims to harmonize the data protection regulations and strengthen data protection for all individuals in the European Union.
The first question I usually get is “Does this affect me and my business if I’m not in the EU?” and the answer is…maybe. It will affect you if you collect or process any personal data of European Union residents.
If your company offers goods or services to EU citizens no matter where it is physically located, it is subject to the GDPR. Failure to comply can get fines of up to 4% of your annual global turnover or 20 million Euros, whichever is greater.
That’s scary for a lot of people. But it doesn’t have to be.
Here’s the breakdown of what you’re responsible for:
- Explaining who you are, how long you’re keeping the data, why you need it, and who on your team or externally has access to it
- Getting explicit and clear consent to collect data through an opt-in
- Giving users access to their own data, the ability to download it, and to delete it from your records completely
- In the event of a hack or security breach, letting your users know about it without undue delay
Personal data is defined as any information related to an actual person or data subject that can be used to identify the person directly or indirectly. This includes information such as but not limited to:
- Email address
- IP address
- Bank details
- Medical information
- Location data
- Browser cookies
A business that holds personal data of EU residents must protect that data and be able to provide the information free of charge upon request to the individual as well as comply with any request to have their data erased by the data controller under certain conditions.
What do you need to do if you are affected by the GDPR?
You need to know where all protected data resides and how it is used and ensure that only eligible users have access to it. Any time you are collecting personal data you must explain what personal data you’re collecting and why and get explicit consent for collecting and processing it. Furthermore, an EU citizen must be able to revoke their consent at any time and you must be able to locate and delete their data.
You’ll also want to update the terms and conditions on your website to ensure they are GDPR compliant meaning they include answers to personal data topics discussed in this post and you are transparent about usage of such data.
Data breaches must be notified to affected individuals without undue delay and to the data protection authorities within 72 hours. In the event of a data breach, organizations can be fined up to 4% of their global turnover or 20M Euros whichever is greater.
If your company is a public authority or is involved in large scale systematic monitoring or processing of sensitive personal data, you must report to a data protection officer to ensure compliance.
Basically, to make your business GDPR compliant, make sure you’re transparent with people. Let them know what you’re doing, don’t ask for extraneous information, and let them opt-in to giving it to you, rather than you taking it by default.
For more information check out the official European Commission infographic on GDPR.
Thanks for reading “What You Need To Know About The GDPR“, feel free to share using the links below.