The new EU General Data Protection Regulation, known as GDPR, goes into effect as of May 25th, 2018. This policy was designed to protect the data privacy of European Union citizens. While it’s true that the regulations probably do not apply to most U.S-based companies, there are many who may not realize their business is affected. The penalties for non-compliance are severe, so knowing your requirements is important!
Under the new rules, any company who receives the data of any EU citizen, whether a financial transaction takes place or not, is obligated to comply with the terms set forth by GDPR. “Data” is defined as any material which can be used to directly or indirectly identify the subject, such as personal and contact information like names, photos, emails, phone numbers, etc. However, it also includes other information, such as medical details, IP addresses, even social media posts.
Obviously, if you have customers in the EU, you are required to meet the regulations. However, if your website collects data for lead generation or you track analytics or use cookies on your site, you are also responsible for meeting the GDPR criteria if any of that data comes from an EU citizen. If you are a data processor, meaning you have data which you process on behalf of a different company (referred to as the data controller), you are still expected to meet the criteria, whether you are the one who collected that data or not. If a data controller is using a non-compliant data processor, they will also be considered non-compliant, even if they personally meet the regulations.
So, what are these regulations? The new standards are too complex to delve into detail, but here’s an overview of some of the biggest points:
- Long forms with extensive legalese or lengthy terms and conditions will no longer be an admissible way to gain the consent of a data subject. Forms must contain plain language of the usage for which the data is being collected. There must also be a simple way for a data subject to withdraw their consent.
- A data subject must be able to request that data controllers and processors permanently erase their data upon the withdrawal of consent.
- Data controllers and processors can only hold and process the minimum amount of necessary data required to complete their responsibilities.
- Data transparency is required. A subject has the right to request whether their personal data is being processed, and for what purpose. They must be able to obtain a free copy of the personal data in a commonly used, machine-readable format.
- Data controllers must notify data subjects within 72 hours in any case of a data breach that will likely affect them and/or their rights as a data subject. Data processors must notify controllers immediately should a breach occur on their end.
This is just a topline look at some of the changes to GDPR. Again, if you do no business or data collection in Europe, and have no future plans for it, the GDPR regulations will not apply to you. But if you have any ties to the EU market, you must be compliant by May 25th. If the regulations sound complicated, consider the risks of non-compliance: a company found to be in breach of GDPR can be fined up to 4% of annual global turnover or 20 million Euros (U.S $24 million)!
For more information and details about GDPR, visit the official website.