The GDPR: Here's what you need to know
You may have noticed recently that your inbox is filling up with companies informing you that their privacy policies and terms of service have changed. That’s no coincidence: on Friday, May 25th, the European Union will put into effect a sweeping new legislation that deals with data privacy and how companies handle personal data. Here's what that legislation is, and how it could affect you.
What is the GDPR?
The General Data Protection Regulation (or GDPR) grants individuals a series of rights concerning their personal data, informs how companies can use that data, and stipulates how companies are beholden to their customers with regards to their data and its usage.
What’s its goal? To give internet users more control over their data and their privacy, and to prevent companies using your data in ways that you might not have consented to.
Does the GDPR apply to companies and people outside the EU?
Obviously, the United States isn’t a part of the European Union. But the GDRP has reach that might surprise you, with effects that you could feel here.
For starters, if you’re just visiting the EU on vacation, the GDRP will affect you during your stay. It doesn’t necessarily apply to all EU citizens who are living outside of the EU, but it does apply to EU citizens who work for companies that do business inside the European Union. In fact, if your company processes even just one person’s data from within the EU at any point after May 25th, 2018, then your company has to abide by the rules and regulations put into place by the GDRP- even if your company isn’t European and doesn’t have any physical presence in the EU at all.
How will companies and people in the U.S. be affected?
A lot of companies are already asking you to accept updates to their terms of service. This is because the GDRP requires organizations to get consent from their users before storing and processing their personal information. If it’s an email, a prompt upon login, or another form of notification, companies will seek your consent if you choose to continue using their services.
And again, if you’re a company in the U.S. that processes any personal data at all from a person inside the EU, then you’re required by law to be GDPR compliant.
What are the penalties for non-compliance?
If a company is found to be violating the GDPR the financial price is steep. The fine is either 24 million dollars (20 million euros) or 4% of the company’s global revenue for the year, whichever is higher.
Is the U.S. planning to do something similar?
Currently, the U.S. Congress is considering the Social Media Privacy Protection and Consumer Rights Act of 2018, which is similar to the GDPR in a lot of ways. While the U.S.’s current data privacy laws are more lax than the EU’s will be after the GDPR goes into effect, several lawmakers in America are pushing for stronger protections for personal data.
Regardless of actual policy, the GDPR has put standards into place that companies will begin to follow, and consumers will come to expect. It won’t be long before we’ll feel the full effects stateside.
What can I/my company do to be GDPR compliant?
If you’re going to be affected by the GDPR, you’re going to want to read it (LINK) and make sure you’re legally conforming. That being said, there are a few steps you can take right now to get ahead of the GDPR-caused curve. Here’s what you can do to make sure you’re GDPR compliant:
1) Provide a clear indication of consent to your users
On websites and web forms, let people know that by utilizing your service they’re consenting to allow their data to be used, stored, etc. Make sure your wording is concise and easy to understand, and be sure to include a cookie agreement and age verification (if needed), as well.
2) Validate the country of your user
If necessary, you should try to ascertain whether a person’s data is regulated by the GDPR. You can do this by adding a ‘Country’ or ‘Country of Residence’ field to web forms.
3) Review and manage existing contacts and your contact database
You’ve been getting all those emails for a reason! Consider sending your users a new request to reverify their email address and renew their consent to receive emails from your company and use your services.
Include a simple outline of how data is being collected, which data is used, and what it is used for. Not only will people appreciate your clarity and honesty, but by getting started on GDPR compliance now, you’ll be saving yourself headaches in the future.