GDPR and Your Business
Personal information storage changes on May 25, 2018, when a new European privacy regulation known as the General Protection Regulation (GDPR) takes effect. The directive creates a privacy law for Europe that impacts businesses worldwide who provide services or goods to the European Union (EU) and European Economic Area (EEA).
This regulation applies to all companies, including those on other continents, that sell and store personal information about citizens in Europe. The goal is to provide the people of the EU and EEA with better control over their personal information and data and give assurances that their personal information is being protected.
The GDPR directive states that personal data is any information related to a person like their name, email address, banking information, photos, updates on social networks, location, medical information and IP address. The GDPR gives the consumer control and places the task of complying with the regulation firmly on businesses and organisations.
Basically, the GDPR applies to organisations and companies operating in the European Union whether or not data is processed in the European Union. If you are a business owner offering goods or services to people in the European Union, then the GDPR is applicable to the way your organisation handles data.
Organisations and businesses that work with personal data are required to appoint a Data Protection Officer, or Data Controller, who will is responsible for GDPR compliance. Companies and organisations who do not comply with the GDPR can be fined up to 4% of their annual global revenue, or 20 million Euros, whichever is greater.
The GDPR isn’t just an IT issue. There are impacts on the way a company, including their marketing and sales activities, conducts business. Under the GDPR, the conditions for gaining user consent are stricter and must allow users to withdraw their consent at any time. Consent will not be considered valid unless separate consents are received for each information processing activity for each user.
In other words, you’ll need to prove that users agree on toa certain action, like receiving push notices or newsletters. The regulation does not allow you to assume their agreement to participate. It’s not enough to provide an opt-out option, the user must agree to an action, and you need to be able to provide proof of their agreement.
Business will need to review business practices, forms, and applications, including those used in marketing and sale activities. To be compliant, business will have to implement double opt-in rules and electronic marketing best practices that require a user wanting to receive communication from a business to fill out a form or mark a checkbox and then confirm their action in a separate email.
If you do business in Europe, you will need to closely review how you collect and maintain customer information. It may be necessary for you to make changes and update information processing procedures. Take time now to review the processes you have in place and start implementing updates so that your business is ready on the 25th of May when the GDPR goes into effect.
If you require more information about GDPR and how it can affect your business, contact a team member today.