Help with the GDPR for Websites and Business
On May 25, 2018 a new European Union regulation called General Data Protection Regulation (GDPR) will take effect and affect every person or business that collects the personal information of consumers in the European Union (EU).
This legislation affects virtually every country in the world where an EU consumer can become a customer, user, or provide their personal information. This means it includes you and your business if you do business with anyone from the EU -- even if they're only visiting your website.
The large corporations are already acting on the GDPR. You may have already seen emails from large service providers (including Google, Microsoft, Apple, Facebook, Twitter) that announce updates to their privacy policies.
Failing to comply with GDPR could be expensive.
Non-compliance with the General Data Protection Regulation (GDPR) legislation may leads to fines up to 20 million EURO or 4% of annual sales. This legislation applies to everything from contact us forms, newsletter signups, mobile event apps, online surveys to social media. Believe it or not, even the business cards you collect manually at a conference are included.
After answering quite a few questions about the GDPR from our clients, we felt that many other United States-based businesses might also be unaware of the laws and their ramifications. We assembled this overview of the relevant GDPR issues to help.
What is the GDPR?
The European Union’s General Data Protection Regulation (GDPR) was adopted last year and becomes actionable law on May 25, 2018.
It’s been described as the most important change in data privacy regulations in the last 20 years and is intended to give people who live in EU countries more control over how their personal data is used.
The GDPR focuses on the rights of individuals rather than companies. This means that the law is in place to protect consumer data or business to consumer (B2C) data. Business to Business (B2B) data collection is not the goal of this legislation.
The regulation is available to read here: https://www.eugdpr.org/the-regulation.html
Why was GDPR introduced?
Laws for modern technology: previous legislation was instituted prior to the modern-day Internet and cloud technology which changed how companies use “personal data”.
Simple and clear direction: Instead of the need to remain compliant with more than 25 different laws for different EU countries, the GDPR establishes one single set of laws.
What is “personal data” under GDPR?
Per Article 4 (1) the GDPR defines personal data as:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
In other words, any data that can be used to identify a person is regarded as "personal data".
Do these regulations apply to businesses who are not in the EU?
Generally, yes - ALL organizations that are collecting and handling personal data of European Union (EU) citizens and residents must comply with GDPR.
It’s important to note that the GDPR relates to the geographic scope. If you collect personal data or behavioral information from someone in an EU country, you are subject to the requirements of the GDPR.
Per this specification, the law only applies if the consumers are in the EU when the data is collected. If an EU citizen was outside the EU when their personal data is collected the GDPR would not apply.
Which Countries are in the European Union (EU)?
At the time of this post, the European Union consists of:
- Austria
- Belgium
- Bulgaria
- Croatia
- Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Ireland
- Italy
- Latvia
- Lithuania
- Luxembourg
- Malta
- Netherlands
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- United Kingdom
What if I don’t sell online?
A financial transaction does not have to occur for the law to apply. Even personal data collected as part of a marketing survey would have to be protected per the GDPR requirements.
What does the GDPR require?
GDPR requires website and web store owners to inform EU visitors of the following things:
- What personal data is being collected.
- What the data is being used for.
- Who is handling the data.
- How the data is collected and obtained.
- How and where the data is stored.
- What exactly does GDPR cover?
The GDPR focuses on the rights of individuals rather than companies.
To further break this down, here's more about each element:
Consent: Companies will be required to get their user's consent to store and use their personal data, as well as explain how it will be used. Consent must be an active, affirmative action by the individual, rather than passive acceptance through pre-ticked boxes or opt-outs.
Breach Notification: GDPR makes it compulsory to notify both data and users protection authorities within 72 hours of discovering a security breach.
Access: Upon request you must be able to provide digital copies of any individual’s personal data that you have collected, where the data is stored and what you are using it for.
Right to be Forgotten: Any individual at any time will be able to ask you to not only delete their personal data but to also stop sharing it with third parties (sponsors, suppliers, hotels, venues etc.). You will also need to notify those 3rd party organizations as they will also be obliged to stop processing it.
Data Portability: The new regulation states that individuals will have the right to transmit their data from one data controller to another. This means that upon request, you need to be ready to export the data you have on your attendees in a commonly used digital format.
Privacy by Design: GDPR requires that organizations have to have data security built into products and process from the very start. This applies to all the technology systems and software that you use to gather and manage personal data of your event attendees.
Data Protection Officers (DPO): Some organizations that frequently monitor large amounts of data or deal with data relating to criminal convictions will also be obliged to have a DPO, who will be in charge of GDPR compliance. That means ensuring internal data protection policies are updated, staff training is conducted and that processing activities are always documented.
How do I get consent for marketing under GDPR?
Consent must be “freely given, specific, unambiguous and informed indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data pertaining to him or her.”
For example, it wouldn’t be acceptable to have a form option for “Sign me up for your e-newsletter” with a checkbox that is checked by default. Instead, the person completing the form must provide consent by checking the check-box manually.
Need a possible silver lining? Getting clear and freely given consent could improve a consumer focused business's marketing data. While the amount of data may decrease in overall size, the quality should increase. Marketing to one consumer who's told you they're interested is usually more effective than marketing to 100 randomly collected email addresses.
How will GDPR affect my existing marketing database?
The GDPR regulations are retroactive. As of May 25th, 2018, any data you store will need to comply with the GDPR regulations.
You’ll need to perform a complete audit on the all data you currently store to ensure compliance in advance of GDPR. Any data that doesn’t meet the guidelines by May 25th must be deleted.
Can I share data with my business partners?
Unless you have specific consent from an individual, you cannot share their information with third parties. It’s a good idea to check sponsor agreements to ensure you’re not agreeing to supply information which you can’t legally provide.
To go one step further, if you have shared data with sponsors that will not meet the consent requirements of GDPR, then you will need to inform those sponsors and request that they cease processing that data.
What about the United Kingdom and Brexit?
Early speculation implied Brexit would ensure exemption for businesses in the UK as if the UK was no longer part of the EU, after that an EU-led legislation like GDPR wouldn’t apply to UK companies.
The Information Commissioner's Office in the United Kingdom (ICO) issued a statement that this would not be the case. In August 2017 they reconfirmed the intent to comply per an announcement about the Data Protection Bill which aims to bring the European Union’s General Data Protection Regulation into UK law.
What’s the difference between the EU’s GDPR and the US’s CAN-SPAM laws?
CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing) is an act that was passed in 2003 in the United States.
In the EU the protection of personal data is considered an important right while in the USA, the freedom of speech rights of a business creates a difference. The GDPR is opt-in legislation (requiring consumers to give explicit consent) while CAN-SPAM legislation is opt-out legislation (commercial mailings are allowed till the recipient says they no longer want them).
Should I change our Privacy Policy for the GDPR?
You will probably need to change or add information in your existing privacy policy. If you don’t have access to an attorney to help, there are online tools available like this one: https://dsgvo-muster-datenschutzerklaerung.dg-datenschutz.de/?lang=en.
I hope this information was useful. Please let us know if there's anything we can do to help! If I've gotten anything wrong here, please let me know in the comments below.