Author’s Note: This is a short guide to a new and confusing legislation. Please consult external resources to ensure compliance.
Everyone’s morning e-news has been full of the GDPR lately, but don’t be fooled by this European legislation - it still requires your non-European attention. Let us walk you through this historic change, how it affects you and your business, and what you need to do to next.
In layman’s terms, the GDPR requires organizations to be explicit with customers about what personal data they collect, exactly what they do with it and ensure that data is destroyed if requested.
What is it?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). GDPR came into effect across the EU on May 25, 2018, and was designed to give EU citizens more control over their personal data as well as how and when it is used by businesses.
It applies to organizations within the EU but also outside the EU in certain cases: if its customers include EU residents, regardless of a company’s physical location, the GDPR applies. However, if an organization does not offer goods and services to EU residents, nor does it track the online activity of EU citizens (including targeted advertising), this legislation is not something to worry about.
We wish it was this simple, but it is likely your website does not block traffic from the EU. Therefore, you probably do collect personal data from EU citizens. There appears to be some ambiguity surrounding what exactly “personal data” includes. You may not think a website “cookie” would be considered personal data, but according to GDPR it certainly is.
Firms that have 250 employees or less are not required to comply with the entire set of GDPR rules. However, they are still required to hold internal records for certain types of data. If your organization falls into this category, you’ll want to learn more.
Here are some steps companies can take immediately:
Make sure your website has the proper user notices and agreements available.
Do an inventory of the data you have, understand why you have it and document it. This will include data on an in-house system, in-house system, on a "cloud" service on somebody else's servers, or on a mobile device like a smartphone.
Ensure you have processes in place to permanently delete all of an individual's records from your systems.
Have a written process in place for how you would delete personal data or provide personal data on request.
Not sure if the GDPR is something your business needs to worry about? Read the full, official rules for businesses and organizations. Need help implementing website or data privacy measures for your EU customers? Drop us a line and we’ll lend a hand.