GDPR. Have you heard those 4 little letters swirling around lately? If you’re like me, you initially brushed it off believing it wouldn’t really affect you too much. I don’t currently do business in the EU, and that’s where the regulation is enforced. Yet, I decided to do a little research and find out more. With all the controversy surrounding data storage and usage lately (I’m looking at YOU Facebook!), I want to make sure I’m ahead of the game when it comes to handling data correctly! Now I’ll share with you the highlights of what I learned, so that you can be prepared, too!
What is GDPR?
GDPR is the General Data Protection Regulation. It was created and will be enforced in the European Union, and it protects people by regulating data collection and storage. Under GDPR, organizations must ensure that personal data is gathered under strict and legal conditions. Once collected, they must protect the data from misuse and exploitation, and respect the rights of the data owners. Those who do not comply with the GDPR will face penalties in the EU. The new regulation will be introduced on May 25th.
New customers must be informed of how and why their information will be stored, and they have to give their explicit consent to data storage. Existing customers should be sent an email requesting their explicit consent if it has not already been given. All customers must be able to access their data and cancel or unsubscribe at any time. When and if they unsubscribe, their information must be deleted.
What is considered Personal Data?
Personal data includes a person’s name, any identification numbers, location data, any online identifier (i.e. username), or any specific information related to someone’s social identity. This includes information related to a person’s physical, physiological, genetic, mental, economic, cultural, or social identity. Translated: any information that could help you identify someone!
Data Breach
Under GDPR, customers and clients must be informed within the first 72 hours in the event of a data breach. This means that if you discover that an unauthorized person has accessed the names, addresses, health records, bank details, or any other private data belonging to your customers, you may not keep it to yourself! Also, the breach should be reported to the customer via 1:1 correspondence within 72 hours.
Who must abide by GDPR?
Anyone who does business in or collects data from people living in the EU must follow the GDPR. If you sell goods in the EU or have clients in any of those countries, that means you! Even small businesses are not excluded.
Your consumer rights under GDPR
GDPR is truly for consumer protection. If you don’t do business in the EU, you still have a right to be informed of your rights as a consumer when interacting with a European company! Organizations are required to notify you quickly if your personal data has been hacked or otherwise compromised. You must be able to easily gain access to your personal data, and companies must inform you about how your data will be collected, processed, and stored. Someone should also contact you to see if you’d like to opt out of services upon the introduction of GDPR! If you opt out or unsubscribe, your personal information will be deleted – not stored indefinitely.
GDPR made simple
Ok, that was a lot of technical information! Let me break it down for you. Plain and simple, GDPR will be put in place on May 25th (in the EU) to protect the personal data of consumers. From that date on, any company doing business there must carefully store data to protect against a breach and must request explicit consent before collecting, processing, or storing personal data.
Why does GDPR matter for you?
Like I said, if you don’t currently do business in the EU, this new regulation may not affect you directly. However, data protection and regulation are at the center of dialogue in the U.S. as well. This has been at the heart of Mark Zuckerberg’s testimony before Congress – whether or not a person should be required to “opt out” of having their personal data collected, rather than “opt-in” to share it. Many individuals have expressed a lack of concern about Facebook’s data practices, but our legislators rightly feel an obligation to protect consumers. In my opinion, the U.S. likely won’t be far behind in regulating how companies collect and store personal data. Companies that do not currently have good data collection and storage policies will be in a tough spot when and if such legislation comes to fruition. Wouldn’t it be better to adjust your practices now and be ahead of the tide?
Best practices for GDPR Compliance
Here are the things you can start doing right now to be GDPR compliant:
- Always ask customers to provide consent. This can be as simple as adding a checkbox to your web forms that reads “I consent to have my data collected and stored,” or something along those lines. Make sure it is a required field for submission.
- Allow customers to view their data at their request. If you have a small company, this may occur rarely and you can respond to requests as they occur. If you are a larger company, you may need an add-on for your site that manages these requests. (View WordPress add-ons here)
- Send a double opt-in email. This email should explain your data collection, usage, and storage practices, and request consent to email marketing. You should also send a re-permission email to all of your existing contacts requesting their consent as well.
- Include the option to unsubscribe in every email you send. Most businesses do this already, but check to make sure it’s included in your CRM software template! If someone unsubscribes, delete their information.
- Keep your security tools up-to-date. Check to be sure that your data management software is compliant with security regulations, and keep all of your plugins updated. This one is really important! If an unauthorized person accesses data through your company, you could eventually be held responsible. Or at least called to testify before Congress…
There you have it! GDPR broken down into 5 action items. Even though GDPR may not apply to you and me right now, these guidelines are really just best business practices! Consumers appreciate it when their rights are respected and you make an effort to protect their privacy. Being ahead of the game will only help your company in the long run!
Disclaimer: I’m not a lawyer and this blog should not be considered legal guidance! This is merely one small-business owner trying to help out the next.