The Skinny on GDPR
What does GDPR Stand For and What does it Do?
GDPR stands for General Data Protection Regulation. Originating in the European Union, the new regulations are intended to ensure data protection standards for all citizens of the EU. Website visitors are able to identify what data a company is collecting and how the data will be used. Because (EU) websites must now declare that they are using cookies to collect data, website visitors also have the option to say no (or yes) to this collection of data.
Why Does GDPR Matter?
As social media has become increasingly integrated into our lives, so, too, has the unseen exchange of data for ‘free’ services. What makes a user valuable to a platform like Facebook, Pinterest, or YouTube is the data associated with that person which, in turn, can be used to generate leads and provide targeted eyeballs to advertisers. Data collection and analysis has become big business, and before stricter regulations came into place, how individual data was protected varied widely. Website users often had to navigate to a page in order to manually select any kind of restriction on data collection and use.
While having an easy way to understand what data is being collected and how it’s being used is a good thing for consumers, it’s also helpful for businesses to have a simple, standardized set of rules to follow.
Do I Need to Care if I’m Not in the EU?
The short answer is yes. If your online business is accessed by anyone in the EU (and, most blogs, websites, Facebook business pages, and so on, are accessible by anyone, anywhere – that’s what is so great about the big, wide world of social media), then your business is bound by GDPR. What matters is the source of the data. So, if you have customers (or website visitors who provide you with an email address in exchange for a giveaway, for example) who happen to live somewhere in the EU, then you’re bound to these regulations. Yes, there is a workaround. You can block EU countries from seeing your website, which means you no longer have to be GDPR compliant, but in some instances, this can limit your brands’ reach.
How Do I Ensure My Business is GDPR Compliant?
First, it’s essential that you obtain consent from your customers or website users and this consent must be actively given (it’s no longer good enough to offer an opt-out option where someone has to choose NOT to allow you to collect data). At any point, a client can change their mind and rescind that permission. You also need to be able to prove that you obtained consent from someone prior to collecting any information. These rules went into effect in May of 2018 (you may remember a rash of requests leading up to the deadline from online organizations asking you to confirm that you did, in fact, wish to stay in touch and that you were aware these companies were collecting information about you).
Each business collects slightly different information, uses it in different ways so there isn’t any one particular set of strategies for protecting that data. Instead, a thorough understanding of both the regulatory requirements and your particular business practices will lead you to setting up appropriate data protection protocols.
What Data Counts?
Pretty much any information that can be connected to an individual falls under the jurisdiction of the new regulations. Email addresses, IP addresses, genetic and biometric data, photographs, birth dates, addresses, and so on are all considered to be personal information and, as such, must be collected only if appropriate and with the consent of the person providing the data. If you do collect information, individuals also have the right to know what that information is and how it’s being used. Regulations now require that you respond and provide details of collected data to anyone who asks for the details about what you have collected about them within 30 days. If you’ve messed up and made an error somewhere, users can also request the mistake be corrected.
Does the Internet Ever Forget?
While it’s true it’s not a good idea to post anything online you wouldn’t want to have shared on the front page of the local paper, the GDPR requires an organization to delete data at any point if someone makes that request.
Are There Penalties for Non-compliance?
Definitely. Large fines (a percentage calculated based on your business’s annual turnover) can be levied if you don’t reveal to appropriate authorities that you’ve had a data breach within 72 hours of becoming aware of a problem. In addition, individuals impacted by data breaches must also be informed should a company have been hacked. Even larger fines are possible if data has been compromised and if your company has not been compliant.
What Should I Do if Company Data has been Compromised?
Strict rules now govern how your business must report any data breaches. Not only must you contact the relevant governing body, but also each person potentially impacted. Providing full details on the type of data that has been unlawfully accessed as well as how that data might be used is all part of the required reporting process as is your company’s plan to mitigate the impact of compromised data. Your company (if you collect a large amount of or particularly sensitive data) should have an appointed data protection officer and that person’s contact information must be made available to authorities.
Need help navigating the GDPR waters? If you want to make sure that you are fully compliant, we can help! Submit a request for Free Audit, and our team will test and confirm compliance among many other performance and security issues within your online footprint.