Everything You Need to Know About GDPR
You’ve probably heard the GDPR acronym, especially during Facebook CEO Mark Zuckerberg’s appearance before the United States Congress, but what exactly is it? More importantly, what does it mean?
What Is GDPR?
The General Data Protection Regulation (GDPR) is a law that gives residents of the European Union (EU) more control over their personal data with a focus on keeping the data secure. Enforcement of the GDPR went into effect May 28, 2018 and is applicable to every citizen of the EU and any business entity that transacts with them, regardless of the location of the business.
The regulation applies to a broad array of personal data, including any information that can be used to directly or indirectly identify that individual. It can be anything from a name, a photo, an email address, online activities, posts on social networks or even a computer IP address.
Who Is Impacted by GDPR?
If you are a company that collects any data from an EU customer as a result of a business transaction, you are subject to the rules and regulations of the GDPR. Two very important things to note:
- As there are no restrictions or requirements for company size, basically any business with an internet presence is potentially subject to this law.
- Any business collecting personal data from a citizen of the EU, regardless of the location of the business (i.e. the business is located in the United States, but is targeting EU citizens to purchase their product) will enact GDPR.
What Are the Requirements?
There are several requirements for GDPR:
- Consent – Before processing any personal data, a business must ask for permission from the person. This request must be clear and concise, must not use legalese, must be without ambiguity of meaning and cannot be hidden within Terms and Conditions or Privacy Policies.
- Breach notification – Should a data breach occur, the company must notify all persons of the breach within 72 hours of discovery.
- Right to access – If a consumer requests access to how collected data is being processed, where it is being processed, and for what purpose, the company must oblige to the request and provide an electronic format copy free of charge.
- Right to be forgotten – If asked to do so, companies will erase all personal data.
- Data portability – Companies must provide methods for a consumer to receive any previously provided personal data in a common, user-friendly format.
- Privacy by Design – Compliant companies must follow Privacy by Design principles. Meaning, companies will only process the data absolutely necessary for the completion of its business and limit access to personal data to only those employees needing the information to complete data processing.
- Data Protection Officers – Large enterprises must maintain comprehensive records pertaining to the collection, processing and storage of personal data. In addition, these enterprises must designate a Data Protection Officer (DPO) to oversee the application of the GDPR and to protect personal data from misuse and unauthorized access.
There are stiff penalties for violating GDPR laws. Should a company not comply with these laws the max penalty is a fine up to four percent of annual global revenue or € 20 million, whichever is greater. Other violations are assessed on a tiered basis depending on the infraction. For example, a company can be fined two percent for not having notified consumers about a security breach within a 72-hour period.
How Are U.S. Marketers Impacted?
If your business resides in the U.S. but targets EU residents your company must comply with GDPR regulations.
Outside of EU business transactions, several companies, including Facebook, have offered users beyond the EU additional rights. However, those rights don’t have the force of law behind them, which means you cannot file a complaint against Facebook for violating the GDPR if you are not an EU resident. Additionally, numerous companies are proactively updating their onsite privacy policies and cookie policies to ensure compliance.
It’s not just the household names of the internet like Facebook that will have to comply. Any company dealing in sensitive personal data, regardless of industry, will also be required to protect consumers’ personal information. This is an important step for the future of internet users gaining more privacy and security.
Nicole Wetwiski
Director of Digital Marketing