If your company takes part in any form of data processing – particularly in the European Union (EU) – you’ve likely heard the term “GDPR” recently given the approaching May 25th deadline.
But what is it? And more importantly: how will it affect your business?
You may have done some research and found yourself a bit overwhelmed. Rightfully so – there’s tons of confusing material out there. We’ve done our own research and thought we’d take a stab at simplifying things.
With that, here are your CliffsNotes:
General Data Protections Regulation (GDPR) is an EU legislation that will enforce a higher standard of security measures in the digital economy. It aims to hold companies more accountable and protect users’ personal information.
What will it ask of businesses?
- Transparency: Letting clients know what info is stored, how it will be protected, and why that data is necessary. Being upfront about how long personal data will be stored and the extent to which third parties can access it. Explaining the risks posed with sharing their info.
- Accountability: Being held accountable for data breaches and alerting users of any such issue in a timely fashion. Complying with government requests and audits
- Consent: Gaining explicit permission to access certain user data. Presenting options to opt-out of services, marketing initiatives, and profiling measures.
- Privacy: Upholding reasonable safeguards against hackers. Allowing users access to their data if they so desire.
What constitutes “personal data”? This includes your name, address, health information, income, localization, cultural profile, online identification, and other valuable info.
Data breaches have become the norm in the realm of breaking tech news, particularly following Cambridge Analytica’s ugly electoral manipulation via Facebook.
GDPR is the course correction for our digital security. The regulation is predicated on a heightened sense individual control over personal information.
In the EU’s own legal language: The GDPR will “ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the Union.”
The bottom line: Technology has developed at an exponential rate over the last few decades, but security standards have stayed woefully behind the times. This EU motion works to bring user privacy up to par with modern tech.
The “Who” & “Where”
All companies who conduct business with citizens of the European Union (EU) are subject to the GDPR guidelines.
This applies even if:
- Your business is located outside of Europe if you happen to offer goods/services to EU citizens or store their personal info.
- You have not engaged in any financial transactions; a mere data-collecting marketing email counts.
The fine print: Even if you have no direct business with EU clients, simply having a web presence that engages with EU regions in any way makes you liable. That said, GDPR only protects EU citizens from data collection while they are in the EU.
The EU ratified the GDPR ruling back in April 2016, but allocated two years for companies to meet its standards.
On May 25, 2018, this window will finally close and require all relevant organizations to be GDPR compliant.
If that’s not the case, businesses can expect some form of punishment…
Regarding how the GDPR is going to be enforced, things get a little murky.
All EU countries will be subject to GDPR provisions, but how each nation enforces the requirements will undoubtedly differ. For the moment, the details there are a flat “TBD.”
What we do know: Each EU member state will appoint its own regulating committee – called a “Supervisory Authoritiy” – to be responsible for a number of tasks. This includes (but is not limited to) conducting audits, delivering warnings, and levying fines.
Penalties for non-compliance range from slap-on-the-wrist warnings to revocation of data processing functions to even substantial fines of up to 20 million euros or 4% of a company’s global annual turnover. Point being – it’s worth making sure you’re compliant.
In our next posts we’ll cover a deeper dive into privacy, an overview of what actions need to be done–both on the back-end (if your company doesn’t already meet standards) and the front-end so you can ensure you are upfront with users/customers when they first engage with you. Ex. Do I need a stronger opt-in when collecting an email address. Short answer: YES.
At Evercontact, data security and user privacy are the pillars we’ve sworn by since our beginning. With the GDPR compliance date rapidly approaching, we’ll continue posting info to help keep you in the know and we’ll happily share our own security standards.
If you have any questions about how we store your data or any of our privacy features, don’t hesitate to contact us at firstname.lastname@example.org.
Disclaimer: This article does not constitute legal advice.
Also published on Medium.