Back to Insights

What is GDPR and What Does It Mean to Your Business?

by Brian Colling - April 27, 2018

What is GDPR and What Does It Mean to Your Business?

We’ve discovered there is a lot of confusion around the soon-to-be-implemented GDPR rules. So, to help you become more familiar with how you can protect your business from getting blindsided by a letter from the European Union explaining why you may owe it a large sum of money, we’ve put together this FAQ. Legally, we need to say we are not lawyers and the following descriptions of the regulations or recommendations in no way constitute legal advice.

What does GDPR stand for?

GDPR stands for General Data Protection Regulation, and it is a regulation set by the European Union. The regulations set firm rules for how businesses collect and store customer data. Essentially, collecting any kind of personally identifiable information (PII) from an EU resident triggers GDPR rules.

When is the GDPR coming into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period, meaning it will be enforced in May 2018.

The law becomes enforceable on May 25, 2018.

Who does the GDPR affect?

The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

There are two types of companies:

1. Those that have operations or employees inside Europe (easy to enforce if you operate inside Europe)
2. Those that do not (not so easy to enforce)

Under GDPR, the EU requires that businesses in the second category appoint a representative in the EU.

Why Does the GDPR Affect American Businesses?

GDPR applies to any business anywhere in the world that processes the personal data of EU citizens. Since your website or product/service can be accessed by anyone residing in the EU, your business should consider complying. The standards can be enforced if a resident of the EU is in America and surfing the net. There may come a time when the U.S. Federal Government adopts the same or similar law.

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. Here are some examples:

• Name
• Address (or even portions of an address like zip code)
• Phone numbers
• Email addresses
• Photographs
• Social Security numbers
• IP addresses
• Financial data
• Religious or political views
• Race and sexual orientation
• Health information
• Behavioral data

Basically, anything that can be tied back to an individual.

How to Comply with the GDPR

Update your Consent & Privacy Policy. Data collected must be “opt-out by default”. The policy must state what data is collected, who has access (including 3rd parties), and what it’s used for. 3rd party access opens up a whole new dimension of what your Consent & Privacy Policy will look like. In the end, your business is responsible for what 3rd parties do or don’t do with user information provided by your business.

Include a Data Access & Portability mechanism. Users must be able to view their data, make changes to it, request removal, and take it with them.

Create a data breach protocol alerting users when their data has been or may have been compromised.

Create a Right to be Forgotten mechanism. Users can request that all of their data be deleted. Not all requests can be granted because in many cases data removal is subject to regulatory requirements (tax purposes, etc.)

What are the penalties for non-compliance?

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million (approx. 24 Million U.S). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

Four Non-Compliant Types:

• Warnings
• Reprimands
• Suspension of data processing
• Fines

Recommendations

• Become familiar with how GDPR will affect your business
• Consult a lawyer for privacy policy language
• Consult your IT professionals on the best way to implement GDPR into assets like your website and other areas where you gain and store user information

Resources

Source material included from:

You may also enjoy this article: Brand Reputation Management – Why your company needs a crisis plan

Get In Touch

  • This field is for validation purposes and should be left unchanged.
480.889.8944