Published: May 18, 2018
Disclaimer: This article is purely informational and should not be used as legal advice. Please consult an attorney to learn if your company is impacted by General Data Protection Regulation (GDPR) and how to comply.
Data privacy is on society’s brain. And GDPR is here, whether you’re ready or not.
What is GDPR?
On Oct. 6, 2015, the European Union and the United States Safe Harbor provisions ruled invalid by the European Court of Justice. Companies relied on these provisions for the transfer of information. Between the United States and the European Union/European Economic Area (EU/EEA). Thus, GDPR was enacted in 2017 to align privacy laws across Europe. This put EU and EEA citizens in control of their digital data. It went into effect on May 25, 2018.
Who does this impact?
If you think you’re safe from making any changes simply because your business isn’t located in the EU or EEA, it could be a mistake. If you provide goods or services to the EU and EEA or have personal data from or about any of their citizens. Will affect you, and you may need to make adjustments to comply with GDPR.
Personal data is defined as anything that would allow an individual to be directly or indirectly identified, including email, location and a unique identification number, to name a few.
GDPR specifically applies to data controllers and data processors. Meaning those who determine the purpose of the data (your company) and those who process the data on behalf of the controller (Google Analytics, for example), respectively.
What does this affect?
Frankly, more than you can imagine. Consumers’ personal data can be found in Google Analytics, and ad-buying platforms. This includes Google AdWords, social media platforms and their corresponding business/ad manager sites, email lists and contact forms, recorded UX sessions, CRM data, e-commerce and loyalty programs, and the list goes on and on.
Citizens of the EU and EEA now have full rights to access, remove and control their own personal data under GDPR. A few of the specific rights laid out in GDPR include:
- Individual Consent — organizations must clearly request consent to use a consumer’s data.
- The Right to Access — organizations must be able to provide individuals with access to their own data and explain it.
- The Right to be Forgotten — consumers have the right to remove their data from a data system.
- Data Breach Notification — consumers have the right to be notified when their personal information has been breached.
Okay, so what does this all mean?
Unfortunately, the consequences of ignoring GDPR can be costly; businesses can be fined up to €20 million or 4 percent of worldwide revenue if found non-compliant.
That being said, your business’s roadmap to GDPR compliance will vary depending on your business location, your consumers, your data collection tactics and the personal customer information that you store. Ultimately, you must read through the GDPR provisions and articles thoroughly. Audit your company’s data collection and storage practices, and consult a lawyer to determine compliance.
Ultimately, companies can leverage GDPR to gain customer trust by handling personal information with transparency, asking permission and being informative and thorough.