You might have noticed an increase in the “Privacy Update” emails in your inbox lately. That is in part due to a major change that is coming down the pipeline this month.
A new European Union (EU) data protection law, the General Data Protection Regulation (GDPR), takes effect on May 25, 2018—and the new regulations will impact businesses across the globe. Here’s what you need to know.
What is the GDPR?
It’s a new law that offers individuals in the EU more control over how their data is used by the businesses who collect it. Additionally, it sets strict guidelines for how business collect and process personal data. It’s designed to protect consumers’ privacy and ensure that their data is not used without their consent.
Who is affected by GDPR?
The new law replaces the EU Data Protection Directive, which applied only to businesses that process personal data on equipment located within the EU. The new law will apply to any business that collects data or tracks online behavior for marketing and sales purposes, regardless of location.
While the law is an EU law, that doesn’t mean American businesses are exempt. If you do business in the EU, you have to comply with the new regulations. If you offer goods or services to EU-based customers or monitor their behavior in anyway—even if you don’t have a branch or office in the EU—you are obligated to comply. If you have an online presence, chances are, GDPR will affect you.
What are the consequences of ignoring GDPR?
To put it frankly, it’s not something you want to ignore as you can be hit with some pretty nasty fines of up 20 million euros ($23.6 million) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The cost to your business doesn’t stop there, however. Fail to comply, and the reputation of your business could be at stake. Consumers are increasingly worried about their privacy, and if news spreads that your company is unable to protect customers’ data, that could damage your brand and business for a long time to come.
What must you do to comply with GDPR?
First and foremost, you should definitely research GDPR on your own and learn how it affects your business specifically. Check out the GDPR Portal for everything you need, but here are some basic rules you will need to follow:
- Be prepared to demonstrate how you handle data. In a moment’s notice, you should be able to explain exactly what methods you are using to protect consumer data, including secure storage, data encryption and more.
- Ask for customers’ consent. You are required to clearly state why you are collecting customer data, when and how you will use it and at what time you will destroy it. That information has to be fully transparent to customers—and you must ask them to provide consent to use their personal information.
- Delete customers information if you are asked to do so. Consumers have the “Right to Rectification” or the “Right to be Forgotten.” If they contact you and ask you to delete or change their information, you must do it immediately—and definitely within a month. That includes information that is stored in the database and everywhere else it has passed through and might remain (e.g., in a marketing spreadsheet stored on a computer).
- Move customers data if they request. The “Right to Data Portability” means that customers can ask you to transfer all their data to another entity—even your top competitor—and by law, you must do it.
- Follow the data minimization strategy. That means you collect and use only as much data as is necessary to complete a specific task. Furthermore, you cannot repurpose data you collect without gaining further consent from the customer.
- Notify customers—immediately—of a data breach. You must notify victims within 72 hours that their data has been compromised.
Where do you go from here?
Many American businesses aren’t prepared for GDPR—and quite a few are preparing for fines. Avoid the latter and act now:
- Confirm that GDPR applies to your business.
- Conduct an audit to determine what private data you have and where it is located.
- Know exactly what is happening to the data you collect, record and store.
- Determine if you are protecting it adequately based on the new GDPR regulations.
- Hire or appoint a data controller, a person who will oversee your process for collecting and storing.
- Put into place company-wide policies that ensure GDPR compliance.
Don’t assume it is an IT problem to solve. It’s a business issue, and one that everyone who works with customer data should fully understand. Take steps now to ensure compliance.