The European Union’s GDPR, or General Data Protection Regulation, went into effect two years ago, in May 2018, but not every business is ready. CNBC reports that there has been a lot of confusion and frustration within the first year of implementation, with hefty fines of significant concern to even the biggest companies in the United States.
US businesses are not the only ones in a quandary; regulators are also overwhelmed, too, especially with the 72-hour reporting requirement.
By November 2019, there were still a lot of companies that lagged behind in GDPR compliance. In fact, a survey showed that one in every four companies around the world are not confident that they will be able to comply with GDPR if a data breach happens to them.
So, if you’re one of these companies that are still trying to make heads or tails when it comes to GDPR compliance, here are five things you should know.
1. It’s not just Europe: You should comply with GDPR rules, too.
A lot of companies in the United States think that the GDPR, being a European Union law, doesn’t apply to them. But US-based companies are within the scope of GDPR if they process personal data of people from the EU, or if they act as a controller.
In fact, GDPR has a wider scope than the EU-US Privacy Shield. This particular policy only covers the flow of personal data between the US and EU states.
As such, US companies must ensure that they comply with all the rules and regulations set forth in the GPDR.
The GDPR is very clear in saying that you are covered by the laws no matter where you are located, if:
- You sell products and services to European Union citizens.
- You monitor EU citizens, including marketing surveys and other consumer behavior studies.
2. What are the key features you need to know when it comes to GDPR?
GDPR’s main purpose is to protect citizens of the European Union from data breaches and other privacy violations. This is actually an updated version of a 1995 law that seeks to include the vast changes that happened online.
What are the key features that you should know?
- Informed consent – The new rules are very strict when you process data based on the user’s consent. Users should give their consent freely, and it must be informed, specific, and clear. It shouldn’t be ambiguous. Businesses will need to request consent in plain and easily understood language.
- Right to access – Your customers can access their personal data without being charged for it.
- Right to data portability – When you process data you’ve obtained by way of a contract or consent, the user can always ask you to return the data to them or transfer the data to another entity or business.
- Right to correct – The user can request for corrections, rectifications, completions, or modifications if they think that the personal data you hold is incorrect, inaccurate, or incomplete. You are obligated to correct the information without any undue delay.
- Right to object – Any user can also object to a business processing their personal data at any time. This covers any particular uses of data you may have.
- Right to be forgotten or the right to erasure – There are instances and circumstances when a user may ask their data controller to erase personal data collected from them, and businesses must comply promptly with requests made under those circumstances.
- Profiling and automated decision-making – Your users have the right not to have their personal data used by you to make automated decisions and profiling, such as when making a credit decision.
3. Yes, the hefty penalties are true.
Digital Guardian explains that GDPR violations may result in fines from 2% to 4% of a company’s annual turnover, or up to €20 million, whichever is greater.
But if you’re not worried about the monetary penalties, just think about other ways that the EU is forcing companies to comply. For instance, the EU has blocked websites like the Los Angeles Times and the Chicago Tribune. These sites were not accessible to Europeans for quite some time.
4. So, what are your protections?
A US-based business that does not collect data from or have transactions with EU citizens will be exempted from the GDPR. Therefore, if an EU citizen visits your website from a search engine, you will not be held liable because you did not directly lead them to your site.
However, there is an exception of this rule. The GDPR also states that if you offer website content that uses one of the European Union’s official languages, then you should follow the new rules.
5. How do you ensure compliance?
If your company is covered by GDPR rules, how do you ensure compliance? For one, you should make sure that all your online forms are compliant. This includes:
- Obtaining consent from users who fill out and submit a form on your site.
- Being very clear how you plan to use their data.
- Consent should be specific, informed, freely given, and clear.
- Privacy Policies and Terms & Conditions should be easy to find, and both should be displayed prominently.
But more than that, you should also:
- Read GDPR’s full text. It’s not going to be easy and you’re probably going to get lost in all that legalese, but try to understand it as much as possible
- Look at what others are doing. By now, there are a lot of companies who have successfully complied with GDPR rules, so it’s a good idea to take some cues from them. What did they do, what steps are important, what else do you need?
- Audit your website. You should have a full audit of your website, including opt-ins, cookies, and storage.
- Audit your data. You should also know what types of information you are storing to make sure that you are properly compliant with GDPR.
Once you’re in the know about GDPR and its requirements, you can take the appropriate steps to ensure that your business is compliant. Not only will compliance help you avoid costly fines and penalties, but you’ll keep your users’ data more secure, as well.