By now, you’ve likely heard of the European Union’s crucial data privacy regulation, but may not fully understand the general requirements of GDPR — especially if your company operates outside of the EU.
Considered the most significant privacy regulation in 20 years, this set of regulations — established in 2018 — is a substantial step up from the EU’s previous data protection directive.
The new initiative transforms how organizations in every sector handle personal data and, for the first time, gives people a say over who collects their data, when it’s collected, and how it’s used.
With this regulation, companies can’t just clean up the mess and say “sorry” after a personal data breach. They also can’t collect and use consumer data without oversight or plainly worded disclosures. Stiff penalties now exist for data breaches and data privacy violations.
To prove GDPR compliance, organizations must take steps to protect a data subject’s privacy from the get-go. Transparency is the name of the game — a new notion to many organizations that have traditionally put data privacy on the backburner.
GDPR compliance can seem overwhelming, but in the long-term, we expect to see better user/customer experiences, fewer data breaches, and greater trust between consumers and organizations regarding personal data.
-
While the GDPR is mandated by the EU, it affects every country.
To replace a 1995 data protection initiative, the European Parliament approved the General Data Protection Regulation in 2016, but the changes didn’t take effect until 2018. For U.S. companies that believe they’re exempt from GDPR because they don’t do business with folks across the pond, think again.
GDPR changes apply equally to other countries as they do to the EU. Whenever any organization, EU or otherwise, offers goods or services to EU data subjects, they’re responsible. Using this GDPR checklist, U.S. companies can prepare for associated regulations and requirements.
-
GDPR requirements apply to most kinds of personal data.
An organization must follow GDPR requirements for almost every data point it collects, regardless of what platform it uses to collect it on. This is particularly true if the data point helps identify a specific individual. Furthermore, it includes data routinely requested by websites, such as IP addresses, e-mail addresses, and information about physical devices. Under GDPR, personal data is protected in the following ways:
- Basic identity information
- Web data (like location, IP address, cookie data, and RFID tags)
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
- Any information that relates to an identified or identifiable living individual
As you can imagine, “basic identity information” is a broad category. It includes user-generated data, like social media posts, personal images uploaded to websites, medical records, and other uniquely personal information commonly transmitted online. Yes, that means organizations must protect your tweets and Facebook statuses.
-
GDPR posits that users have 8 basic rights regarding personal data and data privacy.
In accordance with the General Data Protection Regulation, all users are entitled to eight rights. A GDPR-compliant organization must respect these rights or face serious penalties:
Individuals have the right of access to their personal data. As well, they may want to know how their data is used, processed, stored, or transferred. If requested, you must provide an electronic copy of the personal data free of charge.
Individuals have the right to be informed and to consent (not implied consent) before their data is gathered and processed.
In order to exercise the right to data portability, individuals are free to transfer their data between providers at any time. In order for the transfer to be successful, it must be done in a machine-readable format that is commonly used.
It is the user’s right to be forgotten if they no longer wish to be tracked, or if they withdraw their consent to be tracked.
In the event that a user objects to the use or processing of their data by you, they may request that you cease to do so; this rule does not apply in any other circumstances. The user must make this request before any processing can continue.
Restricted processing: Individuals have the right to request that data processing be restricted or that a specific kind of processing be stopped. There is no need to remove their data if they wish.
When personal data is compromised, individuals have the right to be notified. Your organization must notify the authorities within 72 hours of discovering a breach.
Data rectification: Users may request that their personal data be updated, completed, or corrected.
A person has considerable power over their data when they exercise these rights. Currently, individuals have access to a variety of tools for limiting and prohibiting the use of their personal information by organizations.
-
To avoid non-compliance, designate a representative physically located in the European Union.
It’s time for your U.S. company to acquire a European presence if it processes data of EU residents. Having EU-based customers or visitors on your website means you need to comply with EU laws. There is a physical representative in the European Union for contacting EU supervisory authorities and data subjects as well as maintaining processing records.
A person or entity that is unaffiliated can be designated as your data protection officer if you do not already have a subsidiary, corporate affiliate, or external data protection officer in EU territory. “GDPR Representative as a Service” enables you to hire an EU representative for a flat fee from a U.S. company. To meet GDPR requirements, you list your EU contact as your EU contact. You can stay compliant with GDPR quickly and easily with this service.You can stay compliant with GDPR quickly and easily with this service.
-
Ignoring or evading GDPR compliance can cause hefty penalties.
A major change in thinking has occurred with the General Data Protection Regulation, and it is safe to say many U.S.-based companies are still unsure of what to do. As GDPR took effect, companies were granted a grace period to get accustomed to it.
Companies nowadays must at least show officials that they’re working hard toward compliance and accountability. Non-compliance can result in penalties of up to 2% of global turnover of the preceding fiscal year.
-
When collecting personal data, your company must switch from “opt out” mode to “opt in” mode.
Adopting the principle of affirmative consent is essential to GDPR compliance. In the context of data collection and processing, this requires a shift from an “opt-out” approach to an “opt-in”.
By requiring explicit permission before collecting, storing, and processing a user’s personal data, you now cannot assume consent (by opting them in automatically and providing an opt-out method). If you are simply adding a customer’s e-mail address to your newsletter list, this new approach applies.
Furthermore, users have the right to determine how you use their data, not just whether you collect it and use it. Those who have their personal information exposed to themselves and others have the right to challenge and appeal it.
Google might, for example, violate a user’s privacy rights by using their data to refine its algorithm. As a result of their right to be forgotten, a user may opt out entirely at any point, in which case it’s your responsibility to delete all their data.