One of the most impactful data privacy regulations to be put into place is the European Union’s General Data Protection Regulation (GDPR). The regulation went into effect on May 25, 2018 and has an impact on any companies that may collect data from EU citizens.
This includes data collected from website visitors or those purchasing from an online shop. Because of the international nature of business in the 21st century, many Dallas-Fort Worth and other American companies have to comply with GDPR.
While its estimated that currently just 50% of those companies working towards GDPR compliance have reached their goal, 4 in 5 companies are intending to meet the requirement.
What Are the Basics of GDPR?
The main goal of GDPR is to protect personal information that’s collected by companies. In the age of the internet, data breaches, and misuse of data, regulations like GDPR have sprung up to help protect personal data shared and collected.
The GDPR has several purposes:
- Protect the privacy of individuals
- Give individuals more control over the data companies collect on them
- Keep companies from collecting data without proper permission
- Hold companies responsible for misuse of personal data
Who Does GDPR Apply To?
GDPR applies to any organization, either inside or outside the European Union, that collects, stores, or tracks the personal data of someone that is an EU citizen or resident.
This means if someone from France or Germany purchases a good or service from your company, you would be subject to GDPR guidelines when it comes to how you handle their information.
If that person even just fills out your contact form and you add them to your newsletter list, you would still be subject to following the data privacy guidelines of GDPR.
What Data is Covered by GDPR?
The GDPR regulation defines personal data as “any information relating to an identified or identifiable natural person.”
The type of data that falls under GDPR is vast, and includes things like:
- Name
- Address
- Phone number
- Email address
- IP address
- Photos
- Age
- Date of birth
- Special category data (includes things like race, religion, health, genetics, and more)
What Penalties Can U.S. Firms Pay for Violations?
U.S. companies can be fined for non-compliance with GDPR if they’re collecting data from EU citizens or residents.
Fines can be as much as 4% of their annual global revenue or €20 million Euro ($24.18 million USD)
What Do I Have to Do to Comply with GDPR?
Complying with GDPR includes several steps involving cybersecurity practices, user responsiveness, and transparency about how user data is collected and being used by your company.
Some of the key areas you want to address include the following.
What Data Do We Collect?
Many businesses aren’t aware of all the user data they’re collecting on a daily basis, which makes it impossible for them to put proper protection policies in place.
It’s important to detail what type of data is being collected from individuals, and for what reason.
For example, do you collect demographic information on visitors by cross referencing their Facebook profiles? This information is covered under GDPR and needs to be properly protected.
Map out all data collection that is done, ensure that it truly needs to be done, and detail what you’re doing with that data (informing sales activities, etc.).
Do We Have Proper Consent from the User?
How you collect data is important. GDPR requires that you’re very clear with users when you are collecting their personal information.
This includes doing things like not pre-checking newsletter opt-in boxes on forms and having a clear privacy policy that’s easy to find on your website.
Included in that policy should be details on:
- How you collect individual data
- How that data is used
- How individuals can request their data be deleted
Are You Keeping Data Secure?
When you collect an individual’s personal data, GDPR requires that you keep it safe from misuse or being breached.
This means putting proper data security policies in place across your entire organization, from network safeguards to remote worker security.
This part of GDPR is a pretty standard part of data security best practices even for firms that aren’t complying with the regulation.
With data privacy in mind, you want to zero in on data handling policies (do employees take credit cards over phone, etc.?) as well as IT systems you have in place to keep out malware and hackers.
What Data Breach Response Procedures Are In Place?
If you happen to have a data breach, then GDPR requires you make the proper notifications to those impacted by the breach as well as to the supervisory authority.
GDPR includes timelines that need to be followed for breach notification, otherwise a fine can be incurred.
It’s important to have a data breach response plan in place and to train employees in proper response tasks so that breaches can be contained and mitigated as quickly as possible to reduce exposure.
Need Help With GDPR Compliance?
Leverage IT Group has compliance experts on our team that can help your small business with affordable solutions for GDPR compliance.
Contact us today to schedule a free consultation. Call (469) 458-0559 or reach us online.