The EU on May 22, 2017 past a new law called General Data Protection Regulation (GDPR). This law goes into effect May 25, 2018. Many companies, like JM2 have already taken measures to comply with this law. Hopefully, you have been diligent in meeting these upcoming needs so that you don't get hit with fines. The EU is very much behind peoples privacy and this affects anyone that maintains any personal data about individuals. This law also affects companies in the United States! The internet is big and there are no physical boundaries for commerce. The United States is often behind when it comes to laws of personal protection and this one is very aggressive. By being in compliance today you are a lot closer to be ready for when the United States catches up to protecting consumers more.
Note: The site for all of the information gathered below and summarized for you came from the EU General Data Protection Regulation (GDPR) website at https://www.eugdpr.org/.
What worries many businesses is that they now have to ask for permission before emailing, storing, contacting, etc. and not just automatically opt people into your programs. Consumers that are asked to subscribe will more often read, click, and purchase products from you in the future. So why wouldn't you already be doing this if it will gain you more money and a more loyal following? If you use programs like MailChimp or Constant Contact have options to do what is called a double opt-in and have had it for years. There are benefits to this. You are assured the person wants to receive your information, are aware of what you offer, and have truly requested access to it.
Whether you have a location in the EU or not your company will be affected by GDPR if your business does the following:
- You log information about website visitors who are in the EU.
- You provide any services, including free, to those in the EU.
- If your servers are available to those in the EU.
- You have a physical presence in the EU with or without data collection.
- If you have a store in the United States, that could have a person from the EU come to it, that you gain any of their information (e.g. name, credit card, address, email, etc.) you are affected by this law.
No only are you now responsible for gaining permission (shocking) to contact someone you must keep that information in a secure state (e.g. encryption). Encryption when used correctly should be encrypted at rest (when not used) as well as when in transit (you have the green padlock right). Oh, and the green padlock not only between your website visitors and your web servers but any communication between your servers as well.
You need to have a way of removing this information as well. This means people should be able to request to be removed, you not ask any questions, and do it (no warrants, no buts..., nothing – do it!). This means removal in areas like your website logs, server logs, user information, cookies, IP addresses, geo-location information, tracking tokens, etc.
For those of us in the United States there are several items that need to be looked at.
- Keep your data secure at all times or risk fines.
- Don't think you are "too small" and will float under the radar. Your customers deserve to know you are securing their data whether you are big or small.
- Have a plan to disclose any system breaches large or small. We have already added this into our marketing plans so that we clearly explain these items in a consistent manner that are approved by the companies legal team if it is every necessary. It is better to have this prepared now and never need it than to scramble at the last minute if you would need it.
- Children under the age of 16 will require parental consent.
- You should have automated tools in-place so that this is a streamlined process. Anything that requires manual intervention leaves room for mistakes, missed information, and the potential for fines.
Knowing what you need to do to be in compliance and avoid fines and violations are:
- Know what data you are storing on people (customers, suppliers, and supplies). Allows you to easily explain to them as quickly and accurately as possible. Data is information that could be used to identify a person or business (Name, addrss, phones, photos, etc.).
- Make sure data is secured. This can be done with encryption, limit those that have access to it, anti-virus software installed, can you remotely wipe the data, etc. Are you storing hard copies of data and that it is stored securely? This isn't just about "digital".
- Don't keep data that you don't need. If you don't know what you are going to do with it then don't keep it. Just because it "could" be used in the future doesn't mean you should be keeping that data.
- Write a clear and fair processing policy. This should be part of your privacy policy on your website.
- Have a process for providing information you have on a person in one month and completely free of charge.
- Have a process in place for deleting data.
- Allow people to "positvely opt in" to you storing their data.
- Make it easy for people to opt out of any of your notifications. Don't make the text small so people can't see it. This opt out needs to be the same size as other text.
- Make certain your entire company is aware of the new GDPR laws. They don't need to be experts in GDPR.
- Appoint one, or more, people in your organization to be the Data Protection Officer or DPO.
- If you buy any lists you need to make certain that the company you are buying from is GDPR compliant. This goes also for lists you bought prior to GDPR. Each person within these purchased lists need to have "opted in" to receive information from third parties.
In a nutshell the GDPR states:
- All data subjects must give consent in all cases "by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the individual's agreement to their personal data being processed, such as by a written statement."
- The burden of proof lies on the business and not the individual for compliance with the law.
- Data subjects must be able to withdrawal consent at any time - and easily.
- Businesse cannot require consent in exchange for their service.
- All data breaches must be reported without undue delay and must be done within a maximum of 72-hours of the breach. If your WordPress, Joomla, Wix, Squarespace, custom Content Management System (CMS) website or Customer Relationship Management (CRM) program is compromised you need to report it.
- Data breach notifications
- Create a data breach response plan.
- Designate specific roles and responsibilities within the company.
- Train employees in regard to data breaches, what they are, how to respond, etc.
- Prepare notification templates (e.g. part of your marketing and public relations plan).
- If personal data is unintelligible, data subjects don't need to be notified about a breach.
- Encryption is named by GDPR as appropriate mean to achieve this goal. Good, Powerful, widely available encryption is attainable at relatively low costs.
- There are hefty fines (up to 20 million Euro's) for failing to comply with GDPR.
- Employees need to be trained on this on an annual basis.
No matter your business size, if you are solely in the United States, have a website, send emails, or communicate you are potentially affected by this law. It is better to be in compliance than to face the fines that might come. Start working with your Information Technology company, web designers, and marketing companies to help you be in compliance, be prepared, and definitely informed about this and other laws.