GDPR stands for
General Data Protection Regulation. It’s a data privacy and protection regulation slated to officially begin on May 25, 2018.
|
What is GDPR |
In Europe, there hasn’t been a whole lot of regulation around data protection since the pre-internet days, when GDPR’s predecessor, the 1995 EU Data Protection Directive was created and enforced.
GDPR is designed to provide better protection of personal data—or personally identifiable information (PII) —to people living in the EU.
Here are some of the major effects GDPR will have:
More rights to EU Individuals
EU residents will now have the power to request a copy of any of their stored personal data. They can also request to be “forgotten” by entities that hold their data.
Compliance Obligations and Increased Enforcement
GDPR is essentially requiring any company that currently collects personal data to implement required policies and security protocols, asking for consent in all instances where the collection of personal data may occur. These regulations are being strictly enforced, with fines up to the greater of €20 Million or 4% of the company’s yearly revenue. That’s quite the chunk of change.
Notifications for Data Breaches
If companies do experience data breaches, they are now required to report them to data protection authorities.
GDPR Checklist
1. Learn more and communicate with your team
Reading this article was an excellent first step. Now make sure decision makers in your organization know about GDPR so they can act to protect your company. It’s also important to make sure your staff knows about the regulation.
2. Analyze your company’s current use of data
Ask yourself some key questions which will uncover whether or not you have anything to worry about when it comes to GDPR’s implementation:
Do you collect data?
If so, why?
How do you use it?
Is it secure?
Do you share it with anyone?
3. Request consent
Make sure that whenever your website is asking for personal data, it’s also clearly asking for consent. This is absolutely crucial to the new GDPR regulations.
Does consent mean that you have to make users check a box for consent every time they fill out one of the forms on your website? Potentially, but not in ever case.
According to the UK's Information Commissioner's Office (ICO), "Consent is appropriate if you can offer people real choice and control over how you use their data." If you can't necessarily offer a choice, then a user's explicit consent, beyond their implied willingness to fill out of a clearly labeled form, is not really necessary.
What does that mean for your website?
If you're collecting data without being clear on how that data will be used, you will need to immediately rectify the situation by allowing users to opt in and choose how their data will be used.
If you're collecting data through forms that tell users how it will be used, and allowing users the option to unsubscribe, you will be in much better shape when GDPR rules officially take effect.
4. Learn about the rights of the people whose data you’re collecting
GDPR will give people whose data has been collected new rights. That includes the right to request to be “forgotten” and the right to request a copy of their personal data being held.
5. Plan ahead for data breaches (even though they'll never happen to you, right?)
GDPR gives companies 72 hours to report data breaches to the necessary authorities. Be sure you have a plan for doing this in the unfortunate case of a breach.
6. Learn if you’re a “Data Controller” or a “Data Processor”
GDPR enforces different regulations depending on whether an entity can be classified as a “controller” or a “processor.”
A “controller” is any entity that decides what type of information gets collected, how it gets collected and how it’s used.
A “processor” is the entity that processes data on behalf of the controller.