The only way to build the digital future of Europe was to base it on trust. Among the reforms was to create robust standards for data protection every day, which gives the European Union citizens control of their personal information. Nearly four years later, a new regulation, the General Data Protection Regulation (GDPR), was adopted.
Countries were given two years to comply, and on May 25, 2018, The General Data Protection Regulation came into force. It is expected to set a new standard for consumer rights regarding their data. This strict set of rules applies to all 28 EU member states and businesses outside Europe. Non-compliance with this regulation will have far-reaching implications for businesses. This is why every business owner in Europe needs to know about GDPR.
The General Data Protection Regulation is a European Union privacy law that replaces the Data Protection Act 1995 and regulates how any organization treats or uses the personal data of EU citizens. It standardizes data protection laws across all European Union countries and imposes strict new rules on controlling and processing personally identifiable information (PII). It also protects personal data and data protection rights by giving control back to EU citizens. It’s all about creating transparency of communication regarding how the website and company will use personal data and protect it to ensure it does not fall into the wrong hands. Under the new regulation, any business that unlawfully holds or processes personal information about residents of the EU, including organizations situated outside of the EU, risks being hit with a hefty financial penalty, which is a fine of £20 million or 4% of the company’s annual turnover, depending which is higher.
One of the most critical aspects of the GDPR is that it does not only apply to European Union businesses but any entity, anywhere in the world, whether in the United States or China, that collects, uses, or processes the personal data of EU citizens must comply with GDPR. The new GDPR will affect your business if your website:
Uses any personal data from EU residents.
If your business collects personal data from EU citizens, then you need to comply with the GDPR. Personal data refers to any data that can be used, alone or in combination with other data, to identify a person. Personal data protected by GDPR includes Name, Address, ID number, Health information, Racial or ethnic origin, Sexual orientation, Political views or affiliations, Religious beliefs or affiliations, Genetic data, Biometric data, Location data, IP address, and Cookie data.
Collects email addresses or newsletters sign up
If your website collects email addresses for a marketing list to EU residents and uses a third-party service for email listing, this, too, must be GDPR compliant.
Process data from EU citizens on behalf of another entity
Suppose you are in the hospitality industry, travel, software services, or any e-commerce company that serves individuals from the EU and is embedded in third-party services like Google and Facebook. In that case, your websites must also be GDPR compliant.
When consumers visit your website and interact with it, GDPR requires you to make it clear and transparent as possible what is happening. You need to show the consumers what information you are gathering, offer options for consent and be able to delete that information from your systems as soon as clients ask you to. For this to be possible, you need to make some changes to your website to stay on the right side of the law and protect your customers. Some of the changes include:
Website Forms or Opt-in
Forms that invite users to subscribe to newsletters or indicate contact preferences must no longer include pre-ticked boxes. This is considered implied consent and not freely given. Users should be able to provide separate consent for different types of processing.
Easy to Withdraw Permission or Opt-Out
It must be easy to remove consent as it was to grant it, and individuals must know they have the right to withdraw their support. This means that a consumer can selectively unsubscribe from specific types of communication or quickly change the frequency of contact, or stop all communications entirely.
If you are an e-commerce business, you will likely use a payment method for financial transactions. Your website may be collecting personal data by bypassing the payment details onto the payment method. In this case, your site is storing personal information after the information has been passed along. You must modify your web processes to remove personal information after a reasonable period, for example, 30 days. The GDPR needs to be clarified about the number of days; it is your own decision regarding what can be defended as reasonable and necessary.
GDPR presents a real opportunity for organizations to drive data efficiencies. Since it’s a new regulation, business owners may find it challenging to get it right. For more information on GDPR, visit the following links.
Ready to talk to us? Get started or contact us.