The changes that are currently underway concerning the data privacy of European Union (EU) residents are nothing short of monumental, and they concern you.
If you’re in business, then you will be in some sort of control of your customers’ personal data to a certain extent. Whether this is email addresses, home addresses, business addresses or more ‘personal’ information such as medical information, it really doesn’t matter.
It also doesn’t matter if your business is not located within the EU itself. Indeed, if your business has a presence on the World Wide Web, then you potentially have a worldwide customer base, and unless you block traffic and transactions from the whole of the EU, then the new EU data privacy regulation – known as the General Data Protection Regulation (GDPR) – implicates and impacts you and your customers.
What Is The General Data Protection Regulation (GDPR)?
The GDPR is an EU regulation that was three years in the making and finally agreed upon in December 2015. It has been put together with the purpose of both strengthening and unifying data protection for all individuals within the EU, and includes legislation that addresses the export of personal data outside of the EU – hence the global implications of the regulation.
Although the GDPR will not come into force immediately – most forecasters agree that sometime during the first half of 2018 will be the true date of impact – the onerous obligations that the regulation contains means that it is imperative that you start making preparations now so that you are not caught out when the time comes.
How you handle your customer’s information today may not be compliant to the GDPR when it kicks in. The looming changes are serious, as are the penalties for non-compliance.
Here are the top five things that you need to know about the looming GDPR.
5 Things You Need To Know About the GDPR
The GDPR is related in extreme detail in a document that is over 200 pages in length. We do of course encourage each and every one of you to read it, but we also appreciate that you might not have found the time to do so as yet.
As such, we have put together what we think are the top five most critical points of the GDPR that will affect most organisations.
1. The GDPR Is a Regulation, NOT A Directive
The GDPR is a regulation that directly implicates all Member States of the EU. It is a blanket regulation, meaning that it will become law when it passes in all 28 EU countries equally (directives, by contrast, are enforced by individual countries on their own terms).
2. Fines for Non-compliance Are Enormous
If proof was needed that the European Commission (EC) is absolutely serious about enforcing GDPR, then the fine figures for non-compliance should provide it amply. Data Protection Authorities (DPAs) will have the power to fine businesses up to €100 million or 5% of a company’s annual revenue (whichever is higher), depending on the severity of the offense.
3. Full Disclosure
To ensure compliance, first and foremost businesses must provide full, unambiguous disclosure to customers, followers and site users that their data is going to be collected. Furthermore, information must be provided clearly as to what purpose – or multiple purposes – the data will be used.
Full disclosure is only the beginning – when the GDPR kicks in, all users must give explicit consent that their data may be collected and used. The request for consent must be clear and concise, and not presented in any unusual or ambiguous context, and consent cannot be implied. Users must complete a specific action to indicate consent, such as ticking a box (at the very least) or providing a digital signature confirming that consent is given.
In addition, businesses will need to keep records of all consents that were given as part of the regulation, as they may be asked to provide evidence of this at any given time to ensure compliance.
5. The Right to Be Forgotten
Data subjects (i.e. those that have had their data collected) will retain the right to access their data as and when they want to, and businesses must provide means to facilitate this. Furthermore, data subjects will have the right to withdraw consent at any time, as well as the right to cease all processing of their data and/or have it erased.
As mentioned above, we highly encourage every business with a digital presence to read and familiarise themselves with the whole GDPR document, for these five points are just the very tip of the iceberg.
And, as a final word, it should be noted that one of the main purposes of the regulation is to ensure that businesses are providing data protection as default, not as merely an afterthought. Put simply, there will be no excuses when the GDPR kicks in, and we must assume that examples will made of non-compliant companies.
The time to start revising your data protection policies is now.