Many small business owners are unaware of the General Data Protection Regulation (GDPR) or how its implementation this past May will impact their companies. GDPR was enacted to put individuals in control of their own data. While its intent was to protect EU citizens, the shadow of its reach is global. GDPR affects anyone holding data on EU citizens, including those companies not in Europe. This is applicable to websites, which is where most all businesses are then subject to the regulation.
The new rules imposed require organizations to make some major changes to how they approach data privacy. Any website collecting data about its visitors, from personally identifiable information to the simple collection of IP addresses, will need to identify what data is collected and obtain informed consent to do so from its site visitors, or face potentially staggering fines.
At first blush, many companies may think they don’t collect visitor data. However, almost all websites utilize cookies for purposes such as obtaining web usage statistics (think Google Analytics); many have online forms for joining mailing lists or requesting information, etc. And certainly all sites that accept online payments – whether for sales/ecommerce or simply accepting donations, online bill payment or purchase of tickets for events – collect user data.
Consequences of not being in compliance will affect businesses of all sizes; ignorance of the regulation being irrelevant. As such, it is critically important to understand and implement what is needed to be in compliance.
Key Points of the GDPR:
- Individuals must have the right to see what data is collected, how it is used, who has access to it, and how long it will be retained
- Individuals must be able to access their data and change, correct, or delete it; as well as have the ability to transfer the data to another company
- If a person no longer wants a company to process their data, the company must delete it
- All organizations involved in processing EU consumer data, including third-parties, are subject to liability in case of a breach
- In some cases organizations must have a data protection officer in place, depending on the scale of data collected
- National authorities must be notified within 72 hours of any large data breach
- Parental consent must be granted to process the data of minor-aged children
Even if your website doesn’t draw visitors from the EU, it is likely that we will see similar laws enacted in the United States before long. In February, Assembly Bill 2182 was introduced, requiring regulations on the personal data of Californians if the bill is drafted into law.
There are benefits gained with becoming GDPR compliant. You will not only assure your customers that you care about their privacy concerns, but you will also be prepared for the inevitable American standards that are likely coming this way soon.
* If you are unsure about your company’s GDPR compliance, seek legal counsel specializing in GDPR and e-Privacy Regulation.