EU members now have the “right to be forgotten” and the “right to correct,” but what does that actually mean for YOU?
You’ve probably got an email from every business you’ve ever worked with saying that they’ve updated their privacy policy in accordance with GDPR (The General Data Protection Regulation).
But if you’re not sure what that means for you and your business and you want to be compliant without spending a lot of time stressing about it, this blog is for you.
Isn’t GDPR a European thing?
Yes, GDPR is an EU law dealing with data protection and privacy for everyone in the European Union. It’s designed to give individuals more control over their personal data by changing the laws and obligations around privacy and consent.
However, it also applies to organizations outside the EU that offer goods or services to customers or other businesses in the EU. And that may mean you!
But even if you NEVER do business in the EU, the rules and regulations set up by GDPR are simply best practices to follow to keep consumer data safe.
This is incredibly important when you consider the increasing number of data breaches that expose people’s sensitive information and put them at risk to become victims of crimes like identity theft.
What does the GDPR say?
GDPR says that organizations can only collect personal data legally and under strict conditions. It also says that organizations that collect and manage this data are obligated to protect it from misuse and exploitation while respecting the rights of the data owners.
Personal data, as defined by the GDPR, not only includes the standard pieces of information like names, addresses, and photos, it also considers other forms of data — such as IP addresses, genetic data, and biometric data, which can all be used to identify individuals — as sensitive personal data.
The territorial scope of GDPR
This regulation states that if you collect any personal data or behavioral information from anyone in any part of the EU, then GDPR applies. However, there are a few important clarifications:
- The subject has to be in the EU at the point of collection, which means if an EU citizen is in New York when the data is collected, the law doesn’t apply. If they are in an EU nation when the data is collected, the law applies.
- The law covers all personal data — even if there is no financial transaction.
- For GDPR to apply, the organization must deliberately target consumers in the EU. For example, if someone in Amsterdam finds a US-based site intended for US-customers only, then GDPR does not apply. However, if your site is in a native language of an EU country or explicitly mentions business, or doing business, in an EU country, then the law applies.
- GDPR also applies to currency. If you accept orders or transactions that convert to the Euro, then GDPR applies.
GDPR states that individuals must give consent before their data is gathered
All forms must have wording that clearly obtains explicit consumer consent for whatever information is gathered at each point where data is gathered.
So let’s say you have a form where people can sign up for your newsletter. Then, in your newsletter, you link to another form where they can create an account. You would need have explicit language on BOTH forms indicating exactly how their data from that specific form will be used.
And no, you cannot link them off to a lengthy terms and conditions page. It must be directly on the form itself and it cannot be selected by default. People have to specifically and physically opt-in to show consent.
You must also byline each use case for their data. So let’s say that you have one form that you use to collect data that you’ll use to create their account and sign them up for your newsletter. You’ll also share their data with a third party or parties. There must be a separate opt-in for each one of those uses that a person can either opt into or out of as they wish.
The only thing different from the rules already in place is the breach notification rule
The only part of the GDPR that is different from rules already in place regarding data protection (for example, PCI DSS, ISO 27001, etc.) is the breach notification rule, which states that:
All breaches that involve “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed” AND contains the information of EU citizens must be reported to an EU regulator within 72 hours.
Transparency is no longer a selling point—it’s a requirement
You must, upon request, supply anybody covered by the GDPR with all of the information you have collected on them that can be used to personally identify the person in question. This does not include information that would violate the confidentiality of others or reveal other confidential business or corporate information.
Members of the EU have a “Right to Correct,” which means you must allow individuals to correct inaccurate personal data or add incomplete personal data.
They also have the “Right To Be Forgotten,” which means you must, upon request by a covered individual, delete their information without undue delay under certain circumstances (e.g., if the data is no longer necessary for the purposes it was originally obtained).
The final provision regarding transparency is around portability, which means that, upon request, the data must be provided in a machine-readable format.
Other useful resources to learn more about GDPR and its impact on small, US-based businesses
New York University School of Law
If you’re still not sure what this means for your business, you can contact an attorney familiar with EU laws or a consultant who specializes in GDPR compliance for more information.