You’ve seen it on the news. You’ve read about it in the blogosphere. You’ve probably even received a flood of emails about it in your inbox. There’s no escaping GDPR — and though most business owners are aware that it “has something to do with emails and data security,” the truth is that most of us could still use a crash course on this important piece of legislation.
The General Data Protection Regulation, abbreviated GDPR, came into effect on May 25, 2018. This new legislative rule from the European Union was created to protect consumer data by placing strict limits on how organizations are allowed to collect and use information online.
In broad philosophical terms, GDPR was passed to protect the personally identifiable information of EU citizens, empower them to withhold consent, to make requesting/deleting stored data feasible, and to reshape the way organizations across the region approach data privacy. Of course, the question you as a business owner are likely asking yourself is “what does this mean for me in concrete terms?” Let’s take a quick look at a few of the most important requirements for GDPR compliance.
GDPR Requirements Explained
If you are unsure regarding your company’s legal obligations in the wake of GDPR, the best policy is to speak to an attorney who specializes in the topic. After all, the legislation itself is 88 pages long, so it’s impossible to condense every nuance into a short blog post. Nonetheless, we have listed six of the most important requirements enforced by GDPR for those looking to gain a basic understanding.
- Practice Data Masking. Companies should pseudonymize or anonymize personally-identifiable data – including name, address, behavior data, contact numbers, etc. This scrambling of data will help companies protect sensitive information in the event of a security breach.
- Collect Data for a Concrete Purpose. Companies must be able to explain their purpose for collecting every individual piece of data. They must also have an answer as to why, how and when they will use the information. It should go without stating, but companies should also only gather data after gaining explicit consent from the user.
- Organize Data Logically. Companies must document all user personal data that they hold. This included documenting data sources, and keep records of all data processing activities. Creating and maintaining a centralized data register will be the easiest way to accomplish this goal.
- Appoint a DPO. Companies handling large amounts of sensitive information about EU citizens will be required to appoint a Data Protection Officer (DPO). This article from PWC offers a pretty good overview of whether or not you will need to hire a DPO — but the short answer is that companies that hold data about subject’s political/religious beliefs and/or racial demographics are most likely to need a DPO.
- Notify Affected Parties Promptly After a Data Breach. In case of personal data leakage, companies must notify authorities and alert users no later than 72 hours after the leak was detected. Companies should obviously focus on ensuring the highest level of data security and privacy when developing their websites and applications — but if this fails, taking responsibility quickly is always best policy.
- Allow the Right to Be Forgotten. In other words, should a user ask to have his or her personal information removed from your system, you must comply with this is a prompt and comprehensive manner.
What are the penalties for non-compliance with GDPR?
The European Union has made it clear they aren’t playing around when it comes to data privacy rights. Regulators have been authorized to levy fines of up to 4% of annual revenue for companies that do not respect the data protection rules enforced by this bill.
In spite of this fact, it has become clear in weeks since GDPR went into effect that many companies (and many nations) are simply unprepared for this massive change. Reuters has reported, for example, that many regulators are struggling to deploy these strict measures due to the lack of powers and necessary funding to fully enforce GDPR. Moreover, problems of scale also come into play: it would be absurd to imagine stalwarts getting slapped with a 4% fine from annual revenue (over billions of dollars) due to a single complaint, after all.
Regardless of these complications, the fact remains that companies who are not yet prepared for GDPR would be best served to become compliant as quickly as possible. In addition to the risk of incurring legal penalties, your reputation is also on the line, as many consumers place tremendous value on working with companies that respect their personal information.
Does GDPR Impact Business Outside EU?
Think that you’re exempt from GDPR simply because your business is based outside of the EU? You may be sorely mistaken. If you are gathering and/or using the data of EU citizens in your business operations, then you must treat that information in a compliant manner. Moreover, as data security and customer privacy become increasingly hot issues, the likelihood that the US and other major countries will eventually pass their own versions of GDPR also increases.
The best policy is to simply get proactive about protecting customer data, as this is undoubtedly the direction in which the regulatory future is headed. Scandals such as the Facebook Cambridge Analytica incident show what can happen to companies that break the rules, and the voice of customers is always getting louder in our internet-driven economy. Build a positive reputation by making good choices, and positive results are sure to ensue..