GDPR, or General Data Protection Regulations came into effect in the EU on May 25, 2018.
This means that if you do any business with or collect any data from people residing in Europe, you need to maintain specific standards regarding data collection, storage, and protection.
If your policies aren’t in compliance the penalties are steep.
The maximum fine is €20 million or 4% of global turnover.
GDPR is a complex topic because regulations vary across industries and the requirements for each business are different.
Here are some of the most important GDPR questions you need to answer.
General Data Protection Regulations state that each business should have a designated individual who is responsible for compliance.
For an enterprise corporation, DPO may be a full-time job.
For a small or medium sized business GDPR compliance is likely an added responsibility for an existing staff member.
Only certain kinds of businesses are technically required to appoint a DPO, but putting a single person in charge of overseeing job this complex makes sense for any company.
Appointing a compliance officer will make updating systems for GDPR compliance a much smoother process.
If you haven’t already, you will need to map out exactly what kinds of data your company collects from customers and prospects online and how that data is stored and managed.
If you’re not tracking the data you collect, how can you ensure you are GDPR compliant?
Review existing data collection procedures with a comprehensive audit so that you know you what you’re dealing with.
Under GDPR, customers have have new rights regarding the data that you collect from them.
This includes the right to access their data or have it transmitted to a third party and the right to have it erased completely.
GDPR also includes new timelines for complying with these requests. Your business must be ready to respond to some types of request within 30 days.
You will need to develop a process for receiving, processing and responding to these requests.
GDPR includes new prohibitions on ‘legalese’.
If the average reader can’t understand what they’re signing up for what they agree to your terms and conditions, you are opening yourself up for a problem.
It looks shady when you use vague or overly legalistic phrasing in terms and conditions because it suggests that your company doesn’t really want customers to understand what they’re agreeing to.
Go through your terms and conditions to ensure that they plainly state in clear terms how your company collects and uses data.
You must be granted parental consent to collect data from a minor who is too young to legally consent to data collection.
This age varies by country in Europe.
While a 13-year-old in Spain can consent to share data with you, parental consent is required to collect data from anyone younger than 16 in the Netherlands.
GDPR compliance isn’t just about following a single set of rules that applies to all of Europe.
It also means complying with many different local data regulations.
Every company hopes to avoid a loss of protected information but unfortunately this isn’t always possible.
GDPR requires any company that undergoes a security breach of user data to report this within 72 hours.
You need to plan for the worst.
If a breach does occur you need to be able to accurately report on the data that was lost and alert data subjects and controllers who were impacted.
Every business will have to examine their own processes to ensure that they are GDPR compliant.
The fixes and updates will be different for everyone.
The good news is that these updates are generally really positive.
Unless your business model relies on spamming people or selling their data you will only benefit from increased transparency and accountability to customers.
GDPR will ultimately improve the quality of your email list, bring you up to the industry standard in data protection and help you act ethically and professionally online.