Darkness falls across the land, the midnight hour is close at hand. New regulations crawl in search of blood, to terrorise your online neighbourhood. Europe’s new General Data Protection Regulations (GDPR) may be here, but there’s nowhere near as much reason as you might think to fear.
I’ll stop with the amateur poetry hour and King of Pop allusions now, this is serious business. GDPR has been striking fear into the hearts of companies of all shapes and sizes in all corners of the globe, even though it is only technically designed to protect data rights of European Citizens. But just what is it all about? And how will it realistically affect American businesses? Let’s get into it.
Its’ heart is in the right place
At its very core, GDPR is designed to protect the privacy and rights of EU citizens. In light of recent scandals such as Cambridge Analtyica, this seems like a good thing. The original Data Protection Act of 1998 was not made for our modern world of ad tracking, targeted ads and data being big business. These new regulations are designed to try and make things a bit more transparent for individuals, to try and make companies act more responsibly when it comes to data handling, and generally make the world a nicer place. And the US is definitely not immune. The new regulations have an increased geographical scope – this means that if you collect personal data or behavioural information from an individual in the EU, then the requirements apply to your company.
Also, if US companies use targeted marketing toward EU web users then GDPR will apply. If a US company has its own websites based in or targeting EU users, then they definitely fall under it.
Life’s a breach
One of the key things about the new GDPR relates to privacy breaches. This means when a breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. What does that mean? That you need to hold data securely. That’s nothing new, but if data you have collected on EU nationals gets into the wrong hands and it is either personal data (name, address, date of birth etc), high-risk data (bank account details, credit card number) or special category data (ethnicity, political views, sexuality etc), you could be in danger. Getting into the wrong hands doesn’t just mean being hacked, it could be as simple as one of your team accidentally emailing someone’s address or other personal data to the wrong email address. It’s a lot stricter than it used to be – data should be kept securely. Something as simple as a letter with personal data in it left on a desk could be classed as a breach.
It is also recommended you use encryption to protect databases and also for transferring data via USB sticks – a lost one of those counts as a data breach too.
You must report data breaches within 72 hours to mitigate any potential fines, which are now much heavier under these new rules.
Another panic station companies have been scrambling around is consent. Your inbox has no doubt been full of emails pleading with you to consent to carry on receiving them. This relates to another major change in the regulations – consent must be ‘freely given, specific, informed and unambiguous’. This means the user must have taken positive action to have their data collected and know exactly what you’ll do with it. They must have ticked a box (having to untick a pre-ticked box is no longer allowed, agreed to something, or entered their details themselves. Implied consent is no longer allowed, so many companies who have acquired your data through sharing between partners have been sending these begging emails to get you to consent in a way that is accepted by the new rules. So, before you carry on emailing European-based entries on your database, consider how you got their data – did they actively and positively consent, or is it just implied consent? Just because they bought something from your online store, does not mean they agreed to get communication from your partners or other businesses. The same goes if you are aiming to contact people whose data you got from a partner company. If in breach of this, you may have to prove how an individual consented to you using their data.
Another new principle of GDPR is that data held about people should be adequate, relevant and limited to what is necessary and only kept as long as necessary. So if you are a retailer and you use the data to contact people about sales and deals, what data do you actually need to do that? Email address? Sure. Name? Likely. Address? Not necessarily. Their sexuality or marital status? Probably not. Any data that is no longer required should be deleted.
Individuals also have a right to exercise a Subject Access Request. This means that the company they contact (and this could be an American company who holds data about a European citizen) has 30 days to tell that person exactly what data they hold about them and what it is used for. The individual now has a right under the GDPR changes to request to be forgotten, meaning you have to completely and securely erase them from your databases. This is a major change.
There is also a new right individuals have to data portability, which gives them a right to obtain the data you hold on them and reuse it for their own purposes across a different service in a secure way.
So while GDPR is more stringent than what was there before, it is being done in the best interests of EU citizens. It’s certainly no reason to shun European business and if you adhere correctly, you have nothing to fear.
In this article I’ve covered some of the main points of GDPR and how it may affect US companies. I recommend checking out www.eugdpr.org, where you can find even more detailed advice on how to be GDPR compliant.