May 25, 2018 – One data protection regulation to rule them all… Noticing all of the re-opt-in emails in your inbox today and privacy policy notices all across the web? You can thank GDPR.
The General Data Protection Regulation (GDPR) is a new European Union (EU) privacy and human rights law that replaces their 1995 Data Protection Directive (DPD). This regulation (99 articles over 200 pages) aims to provide EU citizens and residents with more control over their personal data along with simplifying and unifying regulation within the EU. The updated regulation contains new requirements of how personally identifiable information (PII) of data subjects within the EU is processed, regardless of location. Simply put, the regulation restricts what companies can do with your data, gives you more control, and requires companies to be straightforward in simple language with their privacy policies.
Old regulations were written before smartphones began collecting massive amounts of sensitive user information by companies like Google and Facebook.
GDPR gives organizations restrictions on what they can and cannot do with personal data. It gives users more clarity on what data is collected and how companies use it.
GDPR considers Personally Identifiable Information (PII) as any data that can identify a person – name, phone number, username, IP address, or location data. Even information such as sexual orientation, health data, and political opinions are considered sensitive information under GDPR.
May 25, 2018.
You will need to opt-in to allow an organization to use your data. With some of these guidelines, you may notice websites with fewer contact form checkboxes that are preselected and organizations will be directed to use clearer language in their notices and privacy policies.
Even though this is an EU regulation, it has a huge effect on businesses outside the EU, including the United States. Many businesses collect or use EU resident’s data and also use companies based in the EU for services and processing data.
Anyone who collects user information from any person in the EU must obtain consent to obtain and process user information. Any information such as website analytics for website traffic that does not display the country of origin for the visitor will need to treat that user as if they were from the EU.
People can request to have a copy of their data from a website and/or have that data removed. The organization will then go through a process to verify the user’s information by their email address and have to comply with the user’s request within one month and at no fee to the user.
The penalty could be up to $20m euros or up to 4% of global revenue, whichever is greater.
Organizations will need to assess their own data collection and data storage practices while seeking legal advice to ensure that their business practices will be GDPR compliant.
Areas to consider will be:
Once these and other considerations from GDPR guidelines are identified and adequate processes are in place to be GDPR compliance, the following should be configured on your website:
For a consumer, this is great. You have so much more control over your data and how companies collect and process your data.
For organizations, it’s a huge headache legally to go through the process to become GDPR compliant and hire resources for continued compliance thereafter. Big companies have a large target on them currently such as Google and Facebook with $8.8B in lawsuits as of today. Many smaller companies and those in-between that are not fully compliant are actually blocking traffic from the EU until they can become compliant due to the expense and new rules being too much to handle. Blocking traffic from countries tends to have a negative effect on a company’s search engine ranking but if there is a huge risk of facing fines and or lawsuits, it seems like for some companies it is worth it temporarily until they can get a handle on everything.
Currently, it is estimated that 60-80% of companies are not fully compliant. GDPR is not a destination, rather an ongoing journey of protecting user data and privacy. We’ll be hearing much more industry news on how this is affecting businesses around the world. If you have spare time – lol… you can read the full GDPR regulation: https://gdpr-info.eu
Disclaimer: We are not lawyers or a law firm. Information in this article is not guaranteed to be correct. We do not offer legal advice. We recommend that you consult a qualified attorney to help you become GDPR compliant.