No matter where you are in the world, the new GDPR (General Data Protection Regulations) have been in the news a lot over the past few weeks, with businesses in the UK and Europe getting busy preparing themselves for the new regulations to come into effect.
Europe’s General Data Protection Regulation changes the way businesses deal with data. It came into effect on May 25, 201, and is the largest shake-up of data protection in Europe for two decades as it changes how you can use personal data.
"The GDPR rules will better protect businesses and organisations from data breaches" - Grant Harrison, Ashbourne
Check out this guide on GDPR to find out more about the specifics of the new regulations.
However, while it may seem like something that will have no effect on your business if you’re based in the U.S., the truth is you still need to ensure you are fully prepared.
Many businesses in the U.S. have no idea how the GDPR will affect them. Sage carried out a survey recently that found 91 percent of businesses in the U.S. are lacking awareness of the details.
If you want to operate in any EU member state, or serve any individuals living in the EU (e.g. via a company website) your business needs to be compliant. If your website is available to people based in the EU, or if you collect data from people in the EU, you will be affected.
The deadline for being GDPR-compliant has now passed, so if you are not yet compliant, make this a priority.
● If you have online marketing forms or any interactions with EU individuals, make sure you get explicit consent from the consumer. You cannot pre-tick your checkboxes to sign up for your newsletter, for example.
● If you have EU-based individuals on your email list, make sure they consented to be on that list, preferably via a double opt-in. If you have any doubts over this, write to them asking them to confirm they want to be on your list.
● If customers want to withdraw their consent, you must make it easy for them to do so. You need to have a process in place for this so they can delete their record, and you must provide them with a copy.
● If you process data that relates to anyone 16 or under, you will require parental consent.
● Large companies might want to consider employing a Data Protection Officer.
● You will also be required to have policies in place for your data protection to show precisely how you process data.
● Let your customers know that you are taking all the necessary steps to comply with the GDPR.
● If you suffer a data breach and personal data is at risk, you must inform an EU regulator within 72 hours. You might also have to notify the subjects.
Here’s another guide from the UK that explains some of the steps companies must take to prepare.
Non-compliance could result in a large fine. This could reach up to 20 million euros (or 4 percent of your annual turnover, it depends which is largest). The EU authorities have the powers to impose these fines.
How will the EU enforce these in the United States? Questions remain, but you don’t want to risk it.
"The GDPR is now in force, and if you have not yet taken steps to ensure you are compliant, now is the time to make this a priority. Don’t risk a crippling fine. There’s a good chance you won’t have to make too many changes, but you do need to ensure you are compliant." - David Bowen, Bowen Eldridge Recruitment