In 2012, the European Commission set out a plan for data protection reforms across the European Union (EU) countries to make Europe fit for the digital age. The only way to build the digital future of Europe was to base it on trust. Among the reforms was to create common, robust standards for data protection which gives the European Union citizens control of their personal information. Nearly four years later, a new regulation was adopted, which is the General Data Protection Regulation (GDPR).

Countries were given two years to comply and on May 25, 2018. The General Data Protection Regulation came into force. It is expected to set a new standard for consumer rights regarding their data. These strict set of rules applies to all 28 EU member states and businesses outside Europe. Non-compliance of this regulation will have far-reaching implications on businesses. This is why every business owner that does business in Europe needs to know about GDPR.

 

What is General Data Protection Regulation (GDPR)?

The General Data Protection Regulation is a European Union privacy law that replaces the Data Protection Act 1995, and regulates how any organization treats or uses the personal data of EU citizens. It standardizes data protection laws across all European Union countries, and imposes strict new rules on controlling and processing personally identifiable information (PII).

It also extends the protection of personal data and data protection rights by giving control back to EU citizens. It’s all about creating transparency of communication regarding how the website and company will use the personal data and protect it to ensure it does not fall into the wrong hands. Under the new regulation, any business that unlawfully holds or processes personal information about residents of the EU, including organizations situated outside of the EU. Risks being hit with a hefty financial penalty which is a fine of £20 million or 4% of the company’s annual turnover, depending which is higher.

 

What type of business must comply with this regulation?

One of the most critical aspects of the GDPR is that it does not only apply to European Union businesses but any entity, anywhere in the world. Whether in the United States or China that collects, uses, or processes the personal data of EU citizens must be compliant with GDPR. The new GDPR regulations will affect your business if your website:

Uses any personal data from EU residents.
If your business collects personal data from EU citizens, then you need to comply with the GDPR. Personal data refers to any data that can be used, either alone or in combination with other data to identify a person. Personal data protected by GDPR includes Name, Address, ID number, Health information, Racial or ethnic origin, Sexual orientation, Political views or affiliations, Religious beliefs or affiliations, Genetic data, Biometric data, Location data, IP address and Cookie data.

Collects email addresses or newsletters sign up
If your website collects email addresses for a marketing list to EU residents, and using a third-party service for email listing, this too must be GDPR compliant.

Process data from EU citizens on behalf of another entity
If you are in the hospitality industry, travel, software services or any e-commerce company that serves individuals from the EU and are embedded to third-party services, like Google and Facebook your websites also needs to be GDPR compliant.

 

 

How to make your website GDPR compliant.

When consumers visit your website and interact with it, GDPR requires you to make it clear and transparent as possible what is happening. You need to show the consumers what information you are gathering, offer options for consent, and be able to delete that information from your systems as soon as clients ask you to. For this to be possible you need to make some changes to your website in order to stay on the right side of the law, and to keep your customers protected. Some of the changes include:

Private Policy
First you need to analyze the data that you are gathering and assign a Data Protection Officer (DPO) who is responsible for monitoring this data. You then need to revisit your existing privacy policy and set out what personal information you’re collecting. Your privacy policy needs to be concise, transparent, and easily accessible. Showing how and why you are capturing data, where you are storing it, how long you intend to keep it, how people can view what information you have saved and finally, how they might go about having their data deleted from your systems.

Website Forms or Opt-in
Forms that invite users to subscribe to newsletters or indicate contact preferences must no longer include pre-ticked boxes. This is considered implied consent and not freely given. Users should be able to provide separate consent for different types of processing.

Easy to Withdraw Permission or Opt-Out
It must be easy to remove consent as it was to grant it, and individuals always need to know they have the right to withdraw their consent. This means for a consumer can selectively unsubscribe from specific types of communication or easily change the frequency of contact, or stop all communications entirely.

Online Payments
If you are an e-commerce business, then you are likely to be using a payment method for financial transactions. By passing the payment details onto the payment method, your website may be collecting personal data. In this case, your site is storing personal information after the information has been passed along. You are required to modify your web processes to remove any personal information after a reasonable period, for example, 30 days. The GDPR is not clear about the number of days. It is your own decision as to what can be defended as reasonable and necessary.

Cookies
Some companies use cookies to track consumers’ activity online for purposes of marketing. You will specifically need to outline in your privacy policy that cookies are being used on your website and customers can also opt out of cookie tracking in their browser’s privacy settings.

 

GDPR presents a real opportunity for organizations to drive data efficiencies throughout their organization. Since it’s a new regulation, business owners may find it challenging and take time to get it right. For more information on GDPR, visit the following links.

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

https://ec.europa.eu/justice/smedataprotect/index_en.htm

https://ico.org.uk/

Other Articles

When A Startup Should Invest In Branding

Investing in branding isn’t an easy decision when having limited resources, especially during the early days of business. Without a doubt, many startups decide to pay for a cheap logo to represent their business.

read more