What does GDPR mean to you as a consumer and a business owner?
GDPR stands for General Data Protection Regulation. It refers to the European Union’s new laws which go into effect May 25. The goal of this is to simplify data protection laws providing citizens across all member states with more control over what personal data is collected and used. These sets of rules will affect the EU’s 511.5 million people as well as any business that serves them regardless of the organization’s location.
The EU already has privacy measures in place with a ruling in 2014 by the EU’s highest court establishing the right to be forgotten or delisted from Google search results within the EU. The judgment stated that Google must exclude links to news about a person if that individual requests it and also if the information is “inaccurate, inadequate, irrelevant or excessive.” For example, if you are using google.de (Germany) and you have requested that Google delists all search results for you, then it would not come up. That said the results would come up in Google search results outside of the EU.
GDPR is taking that ruling farther. It gives people control over what search engines, social networking sites, and apps can lawfully collect about them. As a result of the Facebook and Cambridge Analytica data misappropriation and high profile data hacking, privacy and data collection, users have become more aware and concerned about online privacy.
Does GDPR affect American businesses?
Yes, it does. Ruth Carter, a business and internet attorney based in Phoenix, Arizona, says GDPR affects anyone who sends commercial emails to and processes data from natural persons residing in the EU. She continues by stating the purpose of this law is to obtain consent before using a person’s data and to protect it adequately.
While the law doesn’t specify what businesses must do to protect the data, there is an expectation that they deploy technical and organizational measures using accessible technology. What it does is stipulate that you only process the data required to fulfill the purpose of your transaction. Also, the organization should allow those who need the data to have access to it, and the access should be limited to only the tasks for which it is needed.
But what does it mean?
According to a 2018 report from AvePoint and the Centre for Information Policy Leadership (CIPL) which surveyed 235 multination organizations, 60 percent of those companies do not have any procedures in place to identify and tag data. That means they are not aware of what sensitive and confidential content they have in their data and how it is used.
Here is the breakdown.
GDPR requires businesses to:
▪ only save personal data if the user opts-in.
▪ get explicit permission for the personal data and the language as such will be plainly written without legal-ease.
▪ honor requests for personal data erasure making it as easy to withdraw consent as it was to give it.
▪ keep a record of personal data in auditable ways.
▪ provide breach notifications within 72 hours of the breach.
▪ make all personal data portable.
How can businesses comply?
Three things you can do now to meet the law regarding consent:
▪ Double opt-in required for email lists which prevents random contacts from being added without them knowing until the email newsletters start arriving.
▪ Written declarations of consent means that businesses must tell the person exactly what they are signing up for and that must be done in an accessible form with everyday language.
▪ Right to withdraw consent is as important as the opt-in and should be easily done when a person no longer wishes you to have their information or contact with the organizations.
Getting it right with consent is a start, but if you are unsure if it affects your business and you need assistance complying, seek out a business lawyer who specializes in the internet as well as a cyber risk professional.
GDPR is just the start. Look for more regulations down the road for the United States.