General Data Protection Regulations: Are you ready?

May 24, 2018

The General Protection Data Regulations (GDPR), is the new regulation implemented by the European Union. It goes into effect on May 25, 2018. These regulations are about protecting European Citizens’ privacy. It requires websites to have a strong privacy prolicy that details every aspect collected on your website. In addition, you need to provide a way for your visitors to get their data back.

This new regulation not only affects European websites, but it affects any websites that collect any information from European citizens. This includes IP addresses, location data, name and e-mail addresses just to name a few of the information covered within this regulation. By the time you read this, the regulation has gone into effect. However, this guide is for those that just need to be caught up to speed on some of the requirements and to provide a little information on what to do to get your website into compliance.

This information is more helpful to those businesses or individuals that are small companies. If you are a big company with a large team then you have the resources to become complaint without my help.

What is the General Data Protection Regulation?

The GDPR provisions specify:

  • Anyone involved in processing European Union (EU) consumer data, including third-party entities involved in data processing, can be found liable for a breach.
  • When an individual no longer wants a company to process their data, the data must be deleted.
  • For companies collecting customer data or processing sensitive data on a large scale, they must appoint a data protection officer.
  • Companies and organizations must notify national authorities of serous data breaches within 72 hours of detecting a breach.
  • For children under a certain age using social media, parental consent is required.
  • Individuals have a to data portability to enable them to transfer their data easily between services.

"Remember that I am not a lawyer and I do not play one on the Internet. Nothing I say constitutes Legal Advice. Please consult your legal counsel before posting anything or implementing these solutions. The provided information is for informational and educational purposes only."

Lance Howell
USA Map

GDPR Check List for the United States

  1. Audit Your Data
    Locate where your data is stored; why certain kinds of data are collected; how customer data is obtained; and how much duplication of customer data exists across multiple sites.
  2.  Audit Your Service Providers’ Data
    You need to review your third-party service providers’ data storage and processing and reevaluate service level agreements.
  3. The Right to be Forgotten
    Organizations will have one month to respond to such requests. 
  4. Controllers and Processors
    Under the GDPR your business fall into one of two categories. You are either a data processor or a data controller. A data processor is a company that processes personal data on behalf of a controller. A data controller is a company that determines the purposes and means of how customer data is to be processed. Sometimes a company can be both at the same time. 
Both of these categories have different requirements under the General Data Protection Regulations. 
 

What Small Business Should Know?

The GDPR affects both companies with more than 250 employees and less than 250 employees just differently.

What are you collecting? Are you collecting names, emails, banking details, and is the information considered sensitive data? You need to determine where and how long the data is stored, and how is it used.

Under the GDPR, consent needs to be explicit, clear and specific. If you do not have a data protection policy develop one that uses GDPR-compliant practices. You will need to use strong encryption and it can help your business avoid hefty fines in the event of a data breach.

Customers to your website have the right to access their data, correct inaccurate data, object to their data being processed, or even completely erase their data that you hold.

Your customers should be able to choose to be on your mailing list, as well as control over how you use their data. The consent must be separate from other terms and conditions. The GDPR require a positive opt-in for the customer to check “yes”. Also remember that “opting” for a mailing list does not give you the right to use a customer’s data for something else unless it is outlined within the privacy agreement.

Consent should constantly be reviewed to determine if the customer still wants to be on that list.