Today is an important day. It’s not just International Towel Day (yes that’s a thing) but it’s also the day that the General Data Protection Regulation (GDPR) becomes enforceable. “But that’s just for businesses operating in the EU, isn’t it?” I hear you say. “That doesn’t effect me.” Sorry, not quite.
Do you have an online store with shipping options to countries within the EU? Do you have a website offering services that is visited by EU citizens where you use Google Analytics or a Facebook pixel to track site usage? Or maybe you store email addresses to send out updates or newsletters? Yip, the GDPR DOES effect you.
What is the GDPR?
The GDPR is a new set of rules governing the privacy and security of personal data laid down by the European Commission. The GDPR will give people more control over their data with a uniform ruling set to be enforced across the entire European Union (EU).
Some key points covered by the GDPR:
- It gives European citizens the “right to be forgotten”, also known as Data Erasure.
- It also gives European citizens the right to ask what data a company holds on them, make changes, or transfer it to another company (referred to as “portability”).
- It outlines that any data that is collected is related to the services or products provided. So asking someone for their age to sign up for your monthly newsletter won’t fly.
- Opt ins or data given needs to have clear consent: consent must be freely given, specific, informed and an unambiguous indication of the data subject’s wishes which by a statement or by a clear affirmative action, signifies agreement to processing.
- You also cannot give or sell data to third parties unless those giving you their data have clearly said it’s ok.
Who does the GDPR effect?
The GDPR applies to all companies selling to and storing personal information about citizens in Europe, including companies on other continents. So even if you are in New Zealand, Australia or anywhere outside of the EU, it still could apply to you.
The exact wording is:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union?
What do I have to do to be GDPR compliant?
WP Beginner has a great blog post that clearly explains the steps to ensuring you’re GDPR compliant. They explain you need to comply with the following requirements:
- Explicit Consent – if you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t just send unsolicited emails to people who gave you their business card or filled out your website contact form because they DID NOT opt-in for your marketing newsletter (that’s called SPAM by the way, and you shouldn’t be doing that anyway.)
For it to be considered explicit consent, you must require a positive opt-in (i.e. no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.
- Rights to Data – you must inform individuals where, why, and how their data is processed / stored. An individual has the right to download their personal data and an individual also has the right to be forgotten meaning they can ask for their data to be deleted. This will make sure that when you hit Unsubscribe or ask companies to delete your profile, then they actually do that (hmm, go figure).
- Breach Notification – organisations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. However if a breach is high-risk, then the company MUST also inform individuals who?re impacted right away.
- Data Protection Officers – if you are a public company or process large amounts of personal information, then you must appoint a data protection officer. Again this is not required for small businesses. Consult an attorney if you’re in doubt.
Ask yourself the following questions:
- How do we collect personal data? Do we use online forms? What forms do we have and what fields do the forms contain?
- Why do we collect personal data? How do we use it and is the data we’re collecting relevant and necessary to the way we use it?
- Where do we store personal data? What security measures do we have in place?
- Do we have a process for updating or wiping personal data?
While GDPR compliance may not be top of your agenda, I strongly suggest you take the time to audit how your privacy processes for your business/blog/website. New Zealand privacy laws are currently being reformed so now is a great time to make sure your processes are robust so you’ll be ahead of the game when local law changes are made.
Have you made changes to your privacy processes as a result of the GDPR hype? I would love to hear how it has effected your business decisions – drop a comment below!
Disclaimer: I am not a lawyer nor am I qualified to give any kind of legal advice. I did one law paper at Uni and I’m pretty sure I only got a B. This post is for information purposes only and should not be used as a guide, or legal advice, pertaining to the GDPR and becoming compliant. I highly recommend you seek professional legal advice.