GDPR: What does it mean for your business?

man in suit working on laptop and woman's hands reading a newspaper, both sitting at a wooden table

If you have an online business, you have probably heard some buzz about GDPR. What does it stand for and why do you care?

GDPR stands for General Data Protection Regulation and is a regulation passed by the European Union to protect the data of EU citizens as they use the internet.

You may be wondering how this applies to you if your business is not located in the EU. One of the provisions of the GDPR states that it applies to anyone collecting, processing, or storing data on an EU citizen – regardless of location. This type of broad regulation on digital data security is unprecedented, so some of the articles of the regulation, including how it will be enforced, are still subject to interpretation. That being said, we believe that all online businesses should take GDPR seriously for a few reasons:

  • It’s a great opportunity to audit your own systems to determine and outline what your current data collection and storage processes actually are.
  • Changing the way you collect and store data to become GDPR compliant is good data security practice regardless of the legislation. Your customers’ information will be secure and you will be transparent with it, building trust with your customers.
  • The United States may pass similar legislation in the years to come, and it’s always a good business move to be ahead of the game with legal compliance.
  • Here’s what has most business owners’ attention – the potential fines for violating the GDPR standards (even if you are not an EU based company) are steep. You may be fined anywhere from 2% – 4% of your company’s “annual turnover” – up to 20 Million Euros.

Read more about the regulations, reach, and potential fines here.

GDPR goes into effect on May 25, 2018 and our best recommendation would be to consult a legal professional prior to that date to ensure that your business is legally compliant with the new regulation.

While the GDPR is complex and multi-faceted, the main goal is to allow EU citizens the right to know what data is being collected, where and how it is stored, how to edit or modify it, and how to permanently delete it from your organization.

Here’s what that means for your business:

  • If you are a company which handles information from clients in the EU (which may or may not include the UK as Brexit becomes reality), you must be GDPR compliant by May 25, 2018 or potentially face fines if audited. This information includes but is not limited to name, email address, birthday, mailing address, IP address, password, and credit card information
  • Customers in the EU must have the following rights:

Right to be forgotten: If a customer asks for you to delete their data, you must delete all data pertaining to them from everywhere it is stored with your company. Period.

Right to object: If a customer decides they no longer wish to be involved in any part of your business (e.g. they want to opt out of mailing list emails), it must be clear and easy for them to do so. Consent to collect customer information must be “freely given, specific, informed, and unambiguous.”

Right to rectification: If a customer wants to change or update their data with you it must be clear and easy for them to do so.

Right of access: Customers must be able to access all data you have collected on them expediently if requested. Customers must also be able to access explicit explanations of how data is processed.

Notification of breach: Customers have the right to be notified within 72 hours if a data breach exposes their personal information.

  • GDPR regulations apply retroactively. This means any data you have on EU citizens (including names and email addresses) must have been consented to in the manner described above, or you need to get express consent to continue to hold this data. If you have EU customers on your mailing list who did not explicitly consent to be on your general mailing list when their email was given, consent must be obtained or their data must be deleted.  
  • Your Privacy Policy must be clear and easy to read (no “legalese”) and provide EU customers with information on how and why data is collected, how it will be used, and how they can view, change, or delete the data you have collected.
  • In the event of a data breach which is likely to “result in a risk for the rights and freedoms of individuals”, you must notify an EU regulator within 72 hours. In most cases, you must also notify your EU customers.
  • Under GDPR, individuals and businesses from outside the EU who collect data must appoint a representative within the EU. The representative is someone who the EU authorities can contact to address any GDPR compliance issues that arise. It is unclear which businesses this article applies to, as the wording is ambiguous. This rule does not apply if your processing of data is “occasional; does not include sensitive data or criminal conviction data; and is unlikely to result in a risk to the rights and freedoms of the people whose data you collect”. We recommend consulting with a lawyer about whether this clause applies to your business.

Feeling overwhelmed and unsure where to start to make sure your business is compliant by the deadline? Read our step by step guide.