It’s not very often that new laws come along that fundamentally change the way we do business on a day-to-day basis. Meet the European Union's General Data Protection Regulation (GDPR). It's the most sweeping change in digital privacy regulation we've encountered in over 20 years.
GDPR in a nutshell
GDPR starts from the basic assumption that data about you should belong to you. It's a pretty radical change from previous laws. GDPR sets out principles and requirements to protect the data privacy of European citizens, including website visitors.
GDPR requires you to:
- Get informed consent before collecting data about someone
- Enable users to withdraw consent, and remove their data from your system
- Protect the personal data you've collected
The law is extraterritorial – it protects the rights of European citizens regardless of where their data is located.
If your company or website has any ties to the EU, you need to make sure that you’re compliant and are adhering to the rules. The fines for being noncompliant are to the tune of €20 Million, or 4% of annual global revenue. Minimum.
This has been in the works for years and takes effect on May 25, 2018.
What you need to know:
GDPR not only affects companies within the EU, but also any company that holds the personal data of EU citizens
Request for consent must be given in an intelligible form – meaning, no legalese
Consent must be “freely given, specific, informed, and unambiguous”
“By using this site, you accept cookies” doesn’t cut it as it does not give the potential data subject a free choice
It must be just as easy to withdraw consent as it is to give it; you must give users an opt-out option
If you’ve had a data breach, you are required to notify consumers within 72 hours
- Every employee involved in data processing or storage is expected to know the law – from product designers to engineers to executives
Examples of data GDPR is protecting:
Any kind of data that could possibly be used to identify an individual is protected by GDPR. This includes, but isn't at all limited to:
Basic identity information such as name, address, and ID numbers
Web data such as location, IP address, cookie data, and RFID tags
Health and genetic data
Racial or ethnic data
Does GDPR really apply to U.S. companies?
Maybe. It depends on whether your service targets EU citizens.
If you operate a B2B marketing website, with content only in English targeted at only US customers, then GDPR probably doesn't apply to you. But if your website can be reached via a country code address (such as mysite.fr or mysite.de), or has translated content written for those audiences, that's a pretty clear form of targeting. GDPR applies.
What you can (and probably should) do:
Hire a Data Protection Officer (DPO) to determine and ensure compliance with GDPR
Train and educate your team so that they have a thorough understanding of what data your company collects, how it is stored, and how it is used
Update your own policies and procedures for processing and storing data by May 25, 2018
It's time for your company to hit the pause button and fully assess how you’re handling data. Be honest - are you giving your consumers an empowering experience, or are you doing the bare minimum? Failing to follow this new regulation will cost you a lot more than money. It will cost you your consumer’s trust.
This blog is just a primer on GDPR. For more information and the full GDPR details, check out the official document.
If you're concerned about how GDPR affects your site, drop us a line. We'll help you figure it out.