DISCLAIMER: Artsy Geek is not a law firm. This is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. We absolutely recommend that you follow the links at the end of this post and consult your own legal counsel to ensure you’re complying with the GDPR.
Short Answer: Probably Yes
If you handle or store any personal data (such as email addresses, cookies or IP addresses) and serve anyone in the EU — or have users who access your website from the EU — GDPR will likely apply to you. It’s a complicated law with a lot of ins and outs. Read on for more.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new set of principles set out by the European Union (EU) to enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. And by “process,” the GDPR means to store, email, anything.
The reach of the GDPR will extend beyond the EU and can affect non-EU business who market their products to people in the EU or monitor the behavior of people in the EU. The GDPR was adopted April 14th, 2016 and, after a two year transition period, it will be actively enforced starting on May 25th, 2018.
The Eight Key Data Protection Principles You Should Know About:
- Obtain and process any personal data fairly (that is, with explicit consent).
- Keep it only for one or more specified and lawful purposes.
- Process it only in ways compatible with the purposes for which it was given to you initially.
- Keep it safe and secure.
- Keep it accurate and up-to-date.
- Ensure that it is adequate, relevant and not excessive.
- Retain it no longer than is necessary for the specified purpose or purposes.
- Give a copy of his/her personal data to any individual, on request.
Personal data is considered anything that relates to the user as an identifiable person and the GDPR makes no distinction between the information you gathered from public or private sources. Personal data includes:
Biographical Data (height, weight, eye color, etc.)
How Does This Apply To Me?
Despite the principles being applied to EU citizens, any web services that can be accessed by EU citizens will be affected and business owners should be prepared to respond.
Additionally, if you have an email list containing EU citizens who did not sign up specifically to be on your list (and instead get a free download, for instance), you need to get their explicit consent in order to keep emailing them.
It’s Not All Bad
Studies show that the majority of consumers feel these principles are good and beg us to consider that personal data protection is a global concern.
“… prioritising data security laws sends the message to users that you care about their safety.”
– Jodi Daniels, Privacy Consultant
Non-Compliance is Expensive
Being unprepared, non-transparent, and not proactive on these new security principles not only puts a business owner at risk to being held responsible for mishandling personal data (which, by the way, could incur fines of up to €20 million or 4% of a company’s global annual revenue, whichever is greater), but could impact the way your clients and customers view your businesses brand as a whole and ultimately affect your bottom line.
How Do I Prepare?
Congratulations! Reading this post is the first step to tackling the overwhelming data protection principles. No matter where you are, consider yourself affected by these changes and prepare to gear up for the changes.
Take Stock of Your Data
Begin by considering, for instance…
- What is your organization’s current risk management process?
- What are the problem areas at this time?
- What data do I currently have and did I receive explicit consent to collect it?
The above is not an exhaustive list of the questions that you should be asking. If you don’t know where data is stored, what data is being collected, how you’re using the data, or whether its necessary to collect that particular type of data… well, you have work to do!
Create an inventory of all personal data you hold, why you hold it, whether you still need it, if it’s vulnerable to a data breach and how you would know if there was a data breach.
Make a Plan and Get Ahead of it
Depending on the size, type, and structure of your company or organization, you may be required to bring on a Data Privacy Officer to oversee compliance efforts. You’ll definitely need to bring on a DPO if your organization/company is either a public authority or an organization who processes personal data on a large scale.
Data privacy needs to be at the heart of all future design. Make yourself familiar with Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default.
DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. This is what will allow you to identify potential privacy issues before they arise and come up with a way to mitigate them.
You’ll need to ensure your procedures cover all the rights individuals are entitled to including deletion and data portability and that these procedures are communicated to your staff and made transparent to your clients and customers.
- Plan to handle access requests for personal information within one month.
- Plan how you seek, obtain and record consumer consent to process their data.
- Plan how you verify individual’s ages or gather consent from guardians.
- Plan how to detect and investigate a possible breach. Be prepared for data breaches.
- Plan a procedure that covers how you’ll report a breach within 72 hours.
- Make sure you have explicit consent to process the personal information you’re currently in possession of.
- Ensure all your data collection are and remain in accordance with the GDPR.
- Update your privacy notices to reflect your new procedures and acknowledge your compliance with the GDPR’s principles.