What is the General Data Protection Regulation (GDPR)?
GDPR is a new set of EU regulations going into effect on May 25, 2018. It provides citizens (and potentially non-citizen residents) of the European Union greater protections and rights pertaining to what companies can do with their personal information. The primary objective of GDPR is to protect individuals by reducing the amount of personal data available to organizations, and to provide them additional control over that data. Once this law goes into effect, the penalties for non-compliance increase significantly, and care has been taken to make these penalties enforceable globally.
I don’t live in the EU, does the GDPR still affect me?
Yes. Any website anywhere that collects and uses personally identifiable information about an individual residing in the EU must comply with GDPR. The regulation states that penalties are enforceable regardless of the country in which the company using the data operates.
What is considered personal data?
The EU GDPR laws apply quite broadly. The legislation defines “personal data” as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.” This information includes, but is not limited to:
- Email address
- Location information
- Identification Numbers
- Bank Information
- Social Media posts
- Medical information
- IP Addresses
Consider Requests for Personal Data
GDPR grants users the ability to access their data in several ways, including:
- Requesting corrections to their data
- Removal of their information, or
- Requesting to review the personal information collected.
A user requesting such information must provide the site operator with details necessary to identify that user. Be prepared for such requests; Determine what information you require to verify individual identify and locate their information within your systems.
What web features are subject to the GDPR rules?
- Web forms that collect personally identifiable information.
- Features tracking IP address, session ID, or other unique identifiers that can be tied back to an individual.
- Meta tag snippets that contain tracking code that collects personal information on users, such as Google Analytics.
- Third-party integrations, including CRMs, marketing automation tools, and ERP systems.
What do I need to do?
Your responsibility for maintaining GDPR compliance will vary based on the nature of your business, target markets, and data collection methods your organization has implemented. The GDPR has many requirements about how to collect, store, and use personal data. Take these steps to evaluate your data’s compliance with the new regulations:
Educate your organization on GDPR compliance requirements and appoint a primary point of contact for digital privacy related enforcement and education.
Review all systems within your organization that collect or process end user data. This is not limited to your website platform. Consider CRMs, ERP Systems, Marketing Automation tools, and more.
Review your procedures pertaining to the collection, storage, and processing of personal data falling under GDPR. Be mindful of the new data retention regulation and set up periodic reviews and audits of your data.
Set policies and processes for effectively and appropriately reporting data breaches pertaining to data falling under GDPR. Be able to easily extract user data from your database.
Northwoods and CookiePro by One Trust can help you streamline cookie consent to meet both current and future privacy laws. Find out how.
Do I need to obtain consent before collecting personal data?
Yes. The GDPR requires that before collecting or processing personal data, controllers must have a specific legal basis to do so. Organizations must provide:
- What data is being collected
- What the data will be used for
- Who has access to the data
- How long the data will be kept
- Who to contact with concerns
Acquiring agreement could be as simple as including a checkbox on a form that requires users to confirm consent to the collection and storage of information before they can submit their requests. It must also be easy to remove that consent if requested.
- Identity and contact details of data controller
- Purpose of data processing and legal basis
- When and how personal information is shared
- Information collected that could be personally identifiable
- Information you do not collect from end users
- Relationships that may result in data transfer to third parties
- Safeguards to protect data
- Cookie Use and Purpose
- Data Retention Procedures
What happens if I am not compliant with GDPR regulations?
GDPR penalties fall into two tiers, depending on the severity of the infraction:
- Tier One
- Two percent of global annual revenue, or
- Ten Million Euro
- Tier Two
- Four percent of global annual revenue, or
- Twenty Million Euro
The tier applied will depend on the nature, duration, and severity of non-compliance, including:
- Was the non-compliance intentional or negligent?
- How many data subjects were impacted?
- How many data subjects were impacted?
- What was the duration of the infringement?
- Were data prevention mechanisms in place?
- Does the data controller follow basic GDPR requirements?
- Are there prior infringements form the data controller or data processor?
- Did the data controller or data processor cooperate with regulators?
- Was the infringement reported voluntarily or under duress?