What Is The GDPR?
If your business has an online presence and you’re collecting any sort of personal data from visitors, then please keep reading. The General Data Protection Regulation (GDPR) is a European Union (EU) privacy law that was adopted by the European Commission in April 2016. The Commission enacted a 2-year compliance period and is scheduled to come into full effect on May 25, 2018. The GDPR regulates how any organization obtains, uses, stores, and eliminates the personal data of individuals located in the EU. Therefore, you’ll want to make sure that your business is GDPR compliant before then.
Does The GDPR Affect My Business?
Most likely. The GDPR will affect (1) all organizations established in the EU, and (2) all organizations that process personal data of EU citizens. Essentially, this means that the GDPR will apply to any organization that processes the personal data of EU citizens-regardless of where it is established, and regardless of where its processing activities take place. Therefore, if you’re collecting, transmitting, storing, or erasing any sort of personal data from users located in the EU (which you likely are – your email newsletters are a common way), then you’re likely subject to complying with the GDPR. Keep in mind that the GDPR also applies to all industries and sectors.
What Does Personal Data Include?
Personal data includes collecting social security numbers, names, physical addresses, email addresses, IP addresses, behavioral data, location data, biometric data, financial information, and much more. Additionally, if you’re collecting more sensitive information, such as health or racial/ethnic background information, for example, then you’ll need to have more stringent protections in place.
What’s The Point Of The GDPR?
One word – consent. Consent is one of the fundamental goals of the GDPR. According to the GDPR, your business will need to obtain consent from email subscribers and contacts for every usage of their personal data. The GDPR requires that an individual have the opportunity to make an actual choice to provide consent. An individual’s choice to give consent must be separate and distinguishable from other actions. This means that when a user visits your website and wants to sign up for your newsletter, there must be an actual option for users to consent to receive your email newsletters and other information. Therefore, silence, pre-checked boxes or inactivity do not constitute consent; individuals must explicitly opt-in to the use, storage, and management of their personal data.
The GDPR also provides EU citizens with the right to be forgotten, which means that an individual can request that an organization delete their data immediately. EU citizens have the right to object or prohibit certain uses of their data. EU citizens have the right to know what specific data about them is being processed and how. Furthermore, EU citizens also have the right to request that incomplete data be completed or that incorrect data be corrected. Lastly, EU citizens have the right to request that personal data held by one organization be transferred to another.
Are You A Controller Or A Processor of Personal Data?
Knowing which category your business falls under is important because it establishes what requirements you’re obligated to meet. A controller determines the specific personal data that is collected for processing. For example, a controller decides what information is collected on a contact form, what information a subscriber has to provide to opt-in to their newsletter, which subscribers receive certain emails, etc. As the controller, your main responsibility is data protection. This means that you’re responsible for reporting any data breaches to protection authorities.
On the other hand, a processor is an organization that processes the data on behalf of the controller (i.e. MailChimp, Convertkit, or Active Campaign). Essentially, as a controller, you’re letting the processor (i.e. your newsletter subscription service) know what information to collect.
What Happens If My Business Doesn’t Comply By The Deadline?
You’ll possibly face sanctions. Sanctions for non-compliance are severe and can be as high as 20 million Euros or 4% of global annual turnover, whichever is higher.
There are many other requirements introduced by the GDPR, so it’s important to review the GDPR in its entirety to ensure that you have a full understanding of its requirements and how they may apply to your business. For full details on the GDPR, please see the European Commission’s website here.
Please note that this is for informational purposes only and should not be relied upon as legal advice. No Attorney-Client privilege has been created. Consult an attorney for further information on how the GPR might affect your business.