GDPR is an acronym for General Data Protection Regulation and is a new regulation in the EU, that dictates how companies should collect, process, and store personal data. Even though the law regulates EU market only, it directly affects your company if you process any of the data of the EU citizens. Why is there so much fuss about GDPR? Because non-compliance with GDRP will lead to serious fines up to 20 million EUR. No business would want for that to happen. GDPR comes into force on the 25th of May. You still have some time to get ready but you’d better hurry up.
Ultimately, GDPR is a positive change for the EU citizens who will have more control over their personal data. For businesses, GDPR brings challenges but it also enforces unified procedures which might be beneficial for the business. Companies that strive to comply with GDPR tend to be viewed more positively by their customers.
There are two main aspects of GDPR – personal data and processing of personal data. Here is what these terms mean under GDPR:
GDPR is a strict law but one may wonder how exactly the EU is going to check the compliance. The EU plans to set up Supervisory Authorities (SA) at each member state. SA will carry out the functions of supervisory and controlling authorities including:
SAs will most likely form a network and will work together in identifying and correcting the non-compliant behavior.
The implications of law have been observed all over the world with companies updating their privacy policies and sending out email blasts to reassure customers of their compliance with the law. Almost 76% of US companies report that they will spend more than $1 million on GDPR. This shows that US companies have a very large pull of EU customers and that they are concerned about the implications of the law.
GDPR is a complex law with complex terminology and a plethora of new information. It’s best to study the law and common practices as well as receive legal advice before you decide on concrete measures. However, these are the most common measures that the companies take to become GDPR compliant:
You’re also advised to only store the data that’s absolutely necessary. By limiting data collection and the number of data points, GDPR encourages companies to adopt safer policies.
By publishing a new policy you can cover most points mentioned in GDPR. But you also have to make sure that there are procedures in place for data retrieval, data portability, and consent withdrawal.
We have seen many companies engaging in automatization of data removal and portability, as well as those who simply ask users to email them for their request to be fulfilled.
Of course, it’s best to avoid data breaches altogether. But if for some reason, it’s not possible, you’ll need to notify all those affected by the breach within a short period of time.
Surprisingly for many site owners, you are responsible for all the personal data you collect including the data collected through plugins. Make sure every plugin you use is compliant with GDPR. So far only a limited number of plugin developers announced their plans in relation to GDPR. If your plugin providers aren’t compliant with GDPR it’s your responsibility to establish a data flow and inform about the processing of data.
Another important implication of GDPR is the changes that the law brings to how consent is collected. For example, a checkbox that is preselected isn’t enough anymore. You have to provide the users with the opportunity to give explicit consent, which they can do by checking the box manually or clicking the “accept” button.
Opt-ins should also be unbundled meaning you need to clearly set out the acceptance of terms and conditions, and then separately set out the consent for other ways of using data. Granular opt-in is preferable and the users must be able to give consent for different types of processing.
If you’ve ever purchased email lists from third parties you need to stop now. Continuing to use email lists received from third parties is a direct violation of GDPR.
The industry standard is a double opt-in – after the user provides their email, they finalize their subscription by clicking a confirmation link in the follow-up email. Even though double opt-in isn’t a GDRP requirement, it’s an industry practice that will help you prove that proper consent was obtained.