In our recent blog posts, we have been discussing what you need to know about the GDPR, the ways it can impact your business, and how it is changing the digital age and the way we collect, store, and use data. In this post, we cover the highlights of the various points addressed by the GDPR and what you need to do in order to comply. Here is a quick summary of the 9 core areas of GDPR:
- eMail Lists - In addition to cookies, you must consider email lists that you may store. Send out a GDPR-compliant consent form to all members of your current email lists to gain updated, verifiable consent to have their information in your database. If you are unable to obtain explicit consent from anyone in your email list, again, his data should be deleted.
- Explicit Consent - Gone are the days when a little blurb at the bottom of a site warned that usage of the site indicated visitor consent to terms and conditions. No pre-ticked consent boxes are allowed now; instead, visitors must click a consent box themselves indicating that they are aware of data collection and that they are in agreement. In addition, the type of data being collected, the reason for collection, and the length of time it will be held must be made clear and concise using plain language understandable to the average person. Look at your site and verify that you are providing visitors an easy-to-understand explanation of what info you are gathering, why, and how long you will keep it.
- Consent Revocation - The GDPR also allows for an individual to change his mind about your collection, storage, and use of their data. If someone asks you to stop using, storing, or collecting their data, you must comply. Check to make sure that your site is providing its visitors with an easily accessible means of revoking their consent.
- Data Modification - In addition to the right to revoke consent for data use, storage, and collection, individuals also have the right to make changes to the data you obtain. Does your website currently allow visitors the option of viewing and making changes to the data you have collected? This will be another feature you must put in place.
- Data Portability- It is required that the individual be allowed to request a portable form of his or her information and/or that you provide it to another company. You must be able to provide the data within one month of request at no charge to the person requesting it. If someone asked for their data today, would you be able to provide it in a timely manner? According to GDPR, Chapter 3 ( Article 20), the data must be provided in “...a structured, commonly used and machine-readable format…”
- Parental Consent - If your site collects information from minor-aged children, then active consent must be obtained from the parents. Check with each state to determine what age is considered exempt from this requirement because it ranges from ages 13-16.
- Data Breach - Should your organization’s data be compromised, the GDPR allows 72 hours for the necessary notification of data protection authorities and any individuals whose information was affected.
- Data Protection - If your website is collecting data on a large scale, you may need to hire a data protection officer (DPO). This person will be responsible for GDPR compliance company-wide. Many small businesses can avoid additional expense by appointing a current employee to oversee this position.
The GDPR unveils a new era of unprecedented control over our own data and how it is collected, used, and stored. With these changes, we should see a decrease in the amount of identity theft and scams that have plagued us in the past decade. The changes brought about by the EU Regulation will benefit us all as companies worldwide bring their sites into compliance. It is inevitable that the standards of the GDPR will be echoed in future legislation around the globe. Conforming to the GDPR will prepare you for upcoming changes in our country’s legal future and protect you from costly fines and penalties. Need additional help? Check out our recent post which shares online resources for GDPR compliance.