What is GDPR and why should you worry about it?
If you own or have worked in a business that transacts with European citizens, you may have recently heard about the General Data Protection Regulation (GDPR).
This regulation compels businesses (even those outside the EU) to protect the personal data of citizens in EU member states. Non-compliance entails steep penalties (up to €20m or four percent of a business’ annual worldwide revenue, whichever is larger!).
How do you make your site GDPR compliant?
Read more to find out!
Does It Affect My Business?
Determine if your business is one of the four types that need GDPR compliance.
Is your business:
- Situated in an EU member state?
- Outside of an EU member state but collects and/or processes personal data from citizens of EU member states?
- Employing more than 250 employees?
- Employing less than 250 employees but your data processing affects the rights and freedom of your data subjects, in a non-occasional way, or includes certain types of personal information.
The four business types include most, if not all, of businesses today. Whether you’re in the Information Technology business or a small online retail, odds are you’re going to be affected by this regulation.
What Are My Obligations Under the Law?
Once you’ve determined that your business is affected by the regulation, you have to know what you need to comply with as far as your customer’s data is concerned.
Businesses are categorized as either Controllers or Processors.
If your business DETERMINES the purpose of the collection and storage of data, then your business is a CONTROLLER.
If your business collects and stores data ON BEHALF OF ANOTHER business or organization, then your business is a PROCESSOR.
Knowing this is key because each type has a different set of obligations in addition to those which they have in common, including:
- A list of all the information they hold including the source, who they share it with, what they do with it, how long they hold on to it, and where they keep such information. They must have built-in data protection measures.
- Technical security must be up to date. Perhaps even hiring a Data Protection Officer (more on this later).
- Reporting data breaches to the local authorities within 72 hours.
Rights Of Data Subjects/Customers
Now that you’ve learned most of what you need to do to make your site one step closer to GDPR compliance, it’s time you learned what rights your customers have.
Which are rights to:
- Transparency and Modalities– Give your customers transparency of information, communication, and modalities for the exercise of their rights.
- Information– Provide information to your customers where you collect their personal data and where you didn’t do so. Basically, tell them when you do or do not collect their data.
- Access– Allow them access to their data that you collected.
- Rectification– Allow your customers to correct any mistakes in the data they provided.
- Erasure– They can have their data be permanently erased when they revoke their consent; a partner organization makes requests it; or when the agreement or services have been terminated. This is also called the “Right to be forgotten” which even global giant “Google” was made to respect.
- Portability– Let them obtain and reuse their own data for their own purposes across different services.
- Object– The absolute right to object to their data being used for direct marketing purposes and for processing in certain circumstances. You also have to inform them of their right to object and you have one calendar month to respond to their objection. Note: there are situations where you can continue processing their data if you provide a compelling reason to do so.
- Automated individual decision-making, including profiling– This simply means that the GDPR applies to all Automated individual decision-making, including profiling.
Do I Need a Data Protection Officer?
One of the suggested ways to ensure your GDPR compliance is to hire a Data Protection Officer (DPO).
You won’t need one unless your business or organization falls under any of these categories:
- Public authorities
- Organizations that engage in large-scale systematic monitoring
- Organizations that engage in the large-scale processing of sensitive personal data
To sum up:
The GDPR affects most businesses around the world. If you want your site to be compliant, you have to know the GDPR law better and make sure that you comply with the obligations that it sets for your type of business.
For more information on the GDPR law, you can visit the ICO site here.