The General Data Protection Regulation (GDPR) is European legislation coming into force on 25 May 2018. It is an update to the current data protection laws that fail to protect data and in the new ways in which data is used (and abused).
While your business may not be based in Europe, if you handle, or contract somebody else to handle on your behalf, EU citizens’ personal data, you will be affected by this new legislation. Even if no financial transaction takes place such as in the circumstance of a marketing survey, if you have collated data that includes personal identifying data, you are governed by the General Data Protection Regulation.
For example, if your business website has a French translation of the site, and the information that you display can be accessed through a .fr web code and you provide the option to pay in Euro – you will need to pay attention to the GDPR. However, if a French person accessed your website through a search engine, and your website is written for American consumers, you do not have to worry about GDPR. It is a minefield, and one that you need to be aware of. So how do you abide by the GDPR?
Consent
The one way for American companies to protect themselves from falling foul of the new legislation is to update their websites with a form that allows the consumer to consent to the sharing of data. This cannot be a lengthy form of terms and conditions, and most importantly, it must be in the visitor’s language so that clear consent can be given. The GDPR promotes transparency, and consent from the subject must be “freely given, specific, informed, and unambiguous.”
Data Management
The GDPR is essentially an update about security and protection, and to be compliant for the live date in May, you need to get your data in order. The GDPR does not just apply to new data, but historic too, meaning that you will need to seek retrospective consent, so you need to be reviewing the data that you currently have and ensure that you are compliant in the future.
The benefit of cloud-based data is that you can centralize consent. Logins to a central portal can allow consent for data to easily be given or revoked, but you must also be aware that by the nature of the cloud, data is distributed storage and is moved around different countries’ data centers. If you are using a company such as theaccessgroup.com, you will be able to discuss with them how to ensure that your data is secure, protected and compliant.
You must be aware that subjects can request that the data that you have on them is deleted and removed from your systems. You will need to have set procedures and processes to be able to comply with these requests; if not, you will be in breach of the GDPR and may face a fine for the oversight. Subjects are also able to request copies of the data that you hold, and so you may need to review the format of the data that you hold.
GDPR, although European legislation has a far-reaching impact globally, and you must take every step to ensure that your business is compliant. Failure to do so will not only cause financial issues for your company, but damage to reputation too, which will further impact your future success.