What is the General Data Protection Regulation?
The GDPR provisions specify:
- Anyone involved in processing European Union (EU) consumer data, including third-party entities involved in data processing, can be found liable for a breach.
- When an individual no longer wants a company to process their data, the data must be deleted.
- For companies collecting customer data or processing sensitive data on a large scale, they must appoint a data protection officer.
- Companies and organizations must notify national authorities of serous data breaches within 72 hours of detecting a breach.
- For children under a certain age using social media, parental consent is required.
- Individuals have a to data portability to enable them to transfer their data easily between services.
“Remember that I am not a lawyer and I do not play one on the Internet. Nothing I say constitutes Legal Advice. Please consult your legal counsel before posting anything or implementing these solutions. The provided information is for informational and educational purposes only.”
GDPR Check List for the United States
- Audit Your Data Locate where your data is stored; why certain kinds of data are collected; how customer data is obtained; and how much duplication of customer data exists across multiple sites.
- Audit Your Service Providers’ Data You need to review your third-party service providers’ data storage and processing and reevaluate service level agreements.
- The Right to be Forgotten Organizations will have one month to respond to such requests.
- Controllers and Processors Under the GDPR your business fall into one of two categories. You are either a data processor or a data controller. A data processor is a company that processes personal data on behalf of a controller. A data controller is a company that determines the purposes and means of how customer data is to be processed. Sometimes a company can be both at the same time.
Both of these categories have different requirements under the General Data Protection Regulations.
What Small Business Should Know?
The GDPR affects both companies with more than 250 employees and less than 250 employees just differently. What are you collecting? Are you collecting names, emails, banking details, and is the information considered sensitive data? You need to determine where and how long the data is stored, and how is it used. Under the GDPR, consent needs to be explicit, clear and specific. If you do not have a data protection policy develop one that uses GDPR-compliant practices. You will need to use strong encryption and it can help your business avoid hefty fines in the event of a data breach. Customers to your website have the right to access their data, correct inaccurate data, object to their data being processed, or even completely erase their data that you hold. Your customers should be able to choose to be on your mailing list, as well as control over how you use their data. The consent must be separate from other terms and conditions. The GDPR require a positive opt-in for the customer to check “yes”. Also remember that “opting” for a mailing list does not give you the right to use a customer’s data for something else unless it is outlined within the privacy agreement. Consent should constantly be reviewed to determine if the customer still wants to be on that list.