The new EU privacy regulation could affect your business
Unless you live off the grid you probably received a slew of GDPR email notices cluttering your inbox this spring, including ones from RetailerNOW and the Home Furnishings Association.
In a nutshell, GDPR, General Data Protection Regulation, is the European Union’s new data protection rule that went into effect May 25.
It’s arguably the most stringent and far-reaching data protection and privacy regulation in effect. But, it’s in Europe and most likely you don’t have customers in Europe, so it really doesn’t affect you, right?
These regulations govern the collection, analysis and storage of personal data—names, addresses, credit card numbers, photos, IP addresses, genetic and biometric data. The GDPR applies to any company operating in the EU or any company outside the EU that offers goods or services to individuals or businesses in the EU. Though the regulation says it applies to companies with more than 250 employees, it also says it applies to companies with fewer than 250 employees whose data-processing impacts the rights and freedoms of data subjects, is not occasional or includes certain types of personal data—so essentially all companies.
Do you buy goods from an EU-based supplier or manufacturer? Can your website be accessed by people living in the European Union? Do you have a newsletter or email list you invite individuals to subscribe to on your website or social media? If so, the GDPR applies to you.
The GDPR breaks data-handlers into two groups—processors and controllers. Controllers are defined as a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.” A processor is considered a “person, public authority, agency or other body which processes personal data on behalf of the controller.” This means that whether you handle your data in-house or through a third party, if one isn’t in compliance, you’re in trouble.
And, before you shrug your shoulders and take the ‘I’ll-just-pay-the-fine route’—the penalties are steep for non-compliance: fines can range from 20 million euros (that’s a cool $23.6 million+) to 4 percent of your worldwide sales (whichever is greater). These fines are for infringements on consumers’ privacy rights, unauthorized international transfer of personal data and failure to put procedures in place or ignoring consumers’ access requests for their data. If you just mishandle the data, the fines are only 10 million euros ($11.8 million) or 2 percent of your worldwide sales—this would include failure to report a data breach, failure to have privacy procedures in place and appointing a data protection officer if you’re a company that’s required to do so.
The GDPR gives individuals eight individual rights:
- Right to information
- Right to access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Right to automated decision making and profiling
What do you have to do to comply?
Make sure your terms of service or any condition, consent, or privacy statement aren’t full of legal mumbo-jumbo—they have to be presented in user-friendly terms without ambiguity. Users should be able to withdraw their consent as easily as they give it.
Request anyone visiting your website who hasn’t verified their opt-in status to receive your emails to do so.
Provide a “reasonable” level of protection for personal data (the regulation does not define what “reasonable” is).
Know how your vendors and service providers operate and manage data.
Stop using pre-filled email opt-in checkboxes on forms.
Don’t auto-subscribe individuals to your email list after they’ve made a purchase—you need their express permission.
Notify all data subjects that a security breach has occurred within 72 hours—notify via email, phone and public announcement.
You must give the user access to their data at their request—they have the right to know if their data is being processed, where it’s being processed and for what purpose. You must be able to freely provide them with electronic access to their data if secure systems are in place. The data controller must always verify the identity of anyone making a subject access request before sharing any information.
If asked by the user, you must stop sharing their data and erase it if the data is no longer relevant or the original purpose of collection has been satisfied or unless you’re required to retain the data to comply with legal and regulatory obligations.
The data must be portable—this means if the individual requests it, you must electronically transmit the date to another processor.
For more information about GDPR compliance, talk to your attorney and read the full text of the GDPR at gdpr-info.eu.