If you work on the web (and we know you do), you may have heard the acronym GDPR bandied about online and in the news lately. If you do any business within the EU (European Union) or with businesses / individuals who reside in the EU, you need to be aware of this new regulation.
What is GDPR?
GDPR stands for General Data Protection Regulation. Adopted by the European Parliament in April 2016, it was set to go into effect May 25, 2018. It is a regulation that affects any businesses who transact in the EU or with EU citizens, where personal data is processed or held, regardless of where the company is located.
The purpose of the GDPR is to give European Union citizens control over their data, their privacy and the exportation of their data from the EU. Companies will not be able to rely on implied consent when dealing with EU citizens, when it comes to tracking them or collecting / holding data.
Unlike the previous directive on this topic, the 1995 Data Protection Directive, this regulation is enforceable throughout the 28 EU member states and around the world, and fines can be levied against companies who breach it, to the tune of 4% of annual global turnover for breaching GDPR or €20 Million. Of course, that is a maximum and the regulation offers a tiered approach to fines, depending on the severity of the breach.
Why should you care about the GDPR
Any business could be breaching the regulation by an act as simple as using cookies on their website to track the users actions, for analytics purposes, without formal consent. If your business has clients or even visitors to your website from the EU, you need to be in compliance with GDPR.
Personal data, as defined by the regulation, includes but isn’t limited to: “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” (Source)
The possibility of fines aside, many companies who do business in or with the EU are embracing this new regulation for the simple reason that it creates one standard for ALL EU countries. There’s no need to worry about varying regulations, from country to country. But the standards are high, so active steps to be in compliance are important for all companies to review.
Quick steps to becoming fully compliant with GDPR
- Start with a review of where your business asks for personal information from customers. If you’re not in the EU, this is likely limited to your website. Do you have an email marketing sign up form? An online form for other purposes? Do you collect email addresses or financial information for transactions / purchases? You need explicit consent from users to collect this information. And while the Canadian Anti-Spam Legislation (CASL) permits businesses to contact an existing customer for up to 2 years (implied consent), GDPR requires consent for EVERY contact (explicit consent).
- Are you tracking data on your site through cookies and / or social media (share buttons are an example of this)? IP addresses, for example, are personally identifiable so if you’re tracking these from your visitors, you need to ask for consent. It’s not enough to say “You’re consenting to data collection by using this site.” You may notice a lot more websites creating pop ups that state that the site collects cookies and requires the user to accept this (or not). This is active, explicit consent, as defined by the regulation.
- Do you have a plan for a data breach? If you are collecting personal data, you need to have a plan as to what you will do to protect it. If a user requests the data you have collected on them, you need to be able to a) provide it and b) delete it, at their request. You only have 72 hours, under the regulation, to notify authorities, as well as the affected parties, of a data breach.
- What data you collect?
- For what purposes?
- How the data is protected?
- Whether it is provided to third parties.
For more in-depth information on GDPR and how to ensure your business is compliant, check out this 12 step guide from the U.K. Information Commissioner’s Office.