Data is the new oil.
This phrase has been floating on the web for quite a while now. If we go by the phrase, certainly a resource as valuable as this has to be well protected and here’s where GDPR comes into action.
Let’s begin with a quick disclaimer. This blog post is not legal advice and is for informational and/or educational purposes only. By the end of this post, you will get to know what GDPR is, whether it applies to your organization or not, the penalties involved and what steps you must take to comply with it.
WHAT IS GDPR?
GDPR is a regulation spearheaded by the three legislative European Union institutions: the European Parliament, European Commission, and Council of the European Union. The General Data Protection Regulation determines the ways that personal data about EU citizens can be handled, within the EU and outside the EU in other countries.
EUGDPR.org says GDPR is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
The main aim of this law is to give the control of the data back to the citizens and residents of the European Union. Set to be enforced from 25th May, GDPR brings in game-changing rules in the field of data privacy regulation.
WHO DOES THE GDPR APPLY TO?
Data collected and processed both before and after May 25th will have to comply with the new regulation. Even though the General Data Protection Regulation is an EU law, it applies to companies that process personal data from EU. This means that even if you’re a US or Asian company, you can still be subjected to the GDPR as long as you handle the personal data of anyone from the EU. To make this clearer, have a look at the following examples:
- Walter White is an online entrepreneur based in the European Union. So he needs to comply with the GDPR across his business, even though he is collecting data from someone in the US.
- Jesse Pinkman is another entrepreneur/marketer based in the US but collecting data from someone in the EU. He too has to comply with the GDPR.
HOW THE DATA SUBJECT, CONTROLLER & PROCESSOR ARE DEFINED
- The Data Subject: The customer, user, employee or anyone for that matter providing personal data.
- The Data Controller: The companies/ organizations offering services or goods that will state how and why personal data is used and is responsible for the safe storage and use of the data collected from the Data Subjects.
- The Data Processor: Organisations that store, digitize, and catalog all the data on behalf of the Data Controllers. Example, all third-party suppliers such as ERP systems, email marketing services like MailChimp.
THE EXTENT OF THE PENALTIES
There are different levels or tiers of fine- Tough penalties for those organizations who don’t comply with GDPR- fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater. That’s a lot – hope now you realize why it is important for you! Stay on.
WHAT YOUR COMPANY MUST DO?
Use simple language. Tell users who you are when you request the data. Say why you are processing their data, how long it will be stored and who receives it.
- Take their consent
Get their clear consent to process the data. When collecting from children for social media, check age limit for parental consent.
- Give them access
Let people access their data and take it with them.|
- Alert them
Let them know if data breaches occur
- Give them the right to erase
Erase their personal data if they ask to do so.
- Give them the right to data portability
People have the right to transfer their personal data between controllers (e.g., to move account details from one online platform to another).
- Notify third parties regarding rectification, erasure or restriction
Notify any third parties with whom you have shared the relevant data that the data subject has exercised those rights.
- Do not track
GDPR also stipulates people have a right to ‘block’ or suppress processing of personal data.
- Data transfer outside EU
Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities.
- Consult your lawyer and Data Protection Officer
Audit your site with the help of your lawyer and your appointed Data protection officer.
WHAT CHANGES ARE REQUIRED ON YOUR MARKETPLACE WEBSITE?
- Terms and Conditions page– If you didn’t have a T&C page, you definitely need it now and also a checkout checkbox that users must click (it should not be “checked” by default). Amend your T&C page in regard to the new GDPR terminology and the gathering of customer data from the checkout page.
1. Who you are (your address, etc)
2. What data you collect (Name, email, phone, address, IP addresses, etc)
3. For what reason you collect the data (invoicing, tracking, email communication, etc)
4. For how long you retain it (e.g. you keep invoices for 5 years for accounting purposes)
5. Which third parties receive it (Google, CRM, MailChimp, etc)
6. How to delete data (either automatically or by emailing the Data Protection Officer)
7. How to get in touch with you for data-related issue.
- Send a re-permission email to your existing list– If you’ve previously obtained consent from your contacts in a manner that complies with the GDPR, there’s no need to ask for their permission again. But if you’d like a fresh bill of consent to demonstrate that you’re in compliance with the new laws, you can send a re-permission email to your list.
It is EU today, tomorrow it will be other geographies. So even if you are not from EU or if you don’t deal with European customers for the time being, taking the necessary precautions can still be beneficial, to prepare for GDPR type legislation in future.
How are you dealing with GDPR and what are the challenges you are facing? Let us know in the comment section below.