I. What exactly is the GDPR?
The GDPR is a new set of laws concerned with the handling of EU resident’s personal data. Effective May 25, 2018, the laws give EU residents more control over their personal data and how business can use it. The laws require utter transparency for what’s collected, who it is shared with and what tracking technologies, if any, are used to follow citizens on the Internet. For US business that sell to EU residents, the laws apply – regardless. Fines for non-compliance are substantial and can be levied on businesses in and outside the EU.
II. What New Privacy Rights Does the GDPR Give EU Residents?
The new laws require a business to inform customers on what information is collected or shared. It also establishes ‘the rules of consent’ required before it can collect any data. It means business will be asking for consent and detailing any use of that personal data in their privacy policies.
It also dictates new rights such as ‘Right of Access’, ‘Right to Rectification’ and ‘Right to Erasure’. EU residents can now:
*Demand a copy of any data collected;
*Demand any errors in any such data be corrected AND
*Request removal of any personal data.
The GDPR also gives EU residents ‘a right to know’ if their personal data has ever been compromised. Now, a business must notify them if personal data is stolen or breached in a defined timely manner.
III. What is Personal Data?
Personal Data is anything that can identify an individual, either on its own or when combined with other data. Examples include:
- Phone number
- Any credit card digits
- Shipping/ tracking numbers (unique to an order = to a person)
- IP address
IV. Why Should a Business Place Someone in Charge of Customer Data?
A ‘Data Protection Officer’ (i.e. DPO), the person who according to GDPR must stay on top of compliance, is going to become a formal required business role. Someone must be designated to own data protection strategy and compliance. This person must:
* Decide how customers can make privacy-specific requests, maybe via a website contact form or to a special email address (e.g., firstname.lastname@example.org);
* Consider whether or not to collect less personal data;
* Determine how long the business retains data, possibly based upon state/federal tax requirements;
* How data is to be backed up or destroyed;
* Prepare procedures for responding to the ‘right to erasure’ or ‘right to access’ requests;
* Prepare for how to communicate a data security breach;
* Keep up to date on current and future changes to privacy laws that affect the business AND
Privacy Policies should include:
1. What data the business collects on its customer/ clients;
3. If any of the data is shared;
4. If so, with whom and for what reason;
5. How long data is kept AND
6. How a person can update or delete collected data.
VI. What Are ‘Right of Access’ requests?
VII. How About Erasure Requests?
VIII. What Of Security Breaches?
To raise the bar the GDPR introduced rules governing what a merchant must do when an EU residents’ data is exposed in a breach. One of the continuing responsibilities of the designated DPO is to ensure a business website is secure as is possible, which includes:
- ensuring the site and its applications are managed/ updated to the most timely security standards;
- ensuring unnecessary applications are deactivated and removed;
- backing up website and accounts data, including exporting the data to secure storage in order to minimize exposure for in the event;
- requiring unique passwords on all accounts, regardless of the inconvenience;
- never allowing shared accounts AND
- removing employee accounts immediately WHEN they leave.
What also specifically changed with the GDPR is that when security is breached there are ‘communication requirements’ to impacted users as well as to law enforcement. These come first, and then for a public announcement.
In Summary, GDPR For US Business Owners
Privacy isn’t going to be a one time effort for business anymore. The GDPR is just the latest set of laws designed to shift power back in to the hands of people AND the USA will undoubtedly follow suit in the near future. Getting familiar with these laws, which ones apply, how they apply and are dealt with is going to be an ongoing responsibility!