What is GDPR?

PublisherSol Minion Developmenthttps:https://assets.solminion.co/logo.svgPublished Compliance small businessdata security

You’ve probably been hearing a lot about GDPR -- or have been flooded by privacy policy update emails -- and you might wonder what it means for your business and website. GDPR (General Data Protection Regulation) was also a common topic at the recent Cybersecurity Summit. So, what is GDPR? The European Union (EU) started data protection with its first law in 1995, the Data Protection Directive. GDPR replaces that law in what the EU sees as their being at the forefront of privacy and data protection. The GDPR became enforceable on May 28th, 2018.

There are few things any business or website owner should know.

GDPR Compliance

Who is subject to GDPR? In general, if you control or process personal data, then there are parts to the GDPR law that you must comply with. While this is a European Union law, it still applies to non-EU companies when the personal data being controlled or processed is that of a person residing in the EU. Yes, if somebody from the EU visits your website, and you gather personally identifiable information from them, then you must comply. Here is a good checklist to help you comply and navigate through your responsibilities.

How to Comply with GDPR

Next, as an American small business, you probably wonder how to comply with GDPR. We’re not going to summarize the entire law here, as there’s plenty of resources on the web for that. But, there are a few things you can do to comply:

  1. Take the time to know what data you are collecting, storing and processing. This is the baseline for understanding how you’ll need to protect data.
  2. Develop your privacy policy and get consent when collecting data, including ‘Fair Processing Notices’ informing customers of what you’ll be doing with their data.
  3. Update your security measures to be GDPR compliant, including using encryption.
  4. Train your team to react to and report breaches within 72 hours.

When it comes to typical digital marketing and your website, keep these in mind:

  1. Make opting into your newsletters default to ‘opt out’ -- uncheck that box.
  2. Separate accepting terms and conditions from opting into a newsletter.
  3. Separate different channels to be contacted: SMS, Phone, Email, etc.
  4. Make unsubscribing and subscriptions super easy to opt in/out of.
  5. If your contact forms include multiple parties on your end, make sure those are obvious.
  6. If you track cookies that are linked to personally identifiable information, provide an opt-in warning on your site with an acceptance button. You’ve likely been seeing more and more of these since May 28th.

What if I Have Fewer than 250 Employees?

Many small businesses with fewer than 250 employees may think they’re exempt, due to exemptions spelled out in the law regarding record keeping. However, any business that holds personally identifiable information must:

  1. Enact the privacy protection measures listed above
  2. React to individual data requests (for EU residents)
  3. Keep proper records

Data Rights for Individuals

Your site visitors under GDPR have the following rights:

  1. The Right to know if you have stored their data and, if so, the right to know what that data is.
  2. The Right to know if data is being transferred to a third-party party.
  3. The Right to a copy of all data being processed, including the right to request it be transferred to another party.
  4. The Right to have all data erased without delay or to have data processing cease.

GDPR and Cybersecurity

The importance of cybersecurity for your business, in general, cannot be overstated. With GDPR, there is now one more layer of responsibility. Should your company incur a data breach and NOT have taken the proper security measures or NOT react properly, you could be in for some European heat. Until GDPR, businesses were likely most concerned with sensitive data, such as social security numbers and financial information. Now, the scope of data that must be protected has broadened. The consent and the reaction to a data breach mentioned above need to be part of your cybersecurity plan. Finally, you’ll need to look at your physical network as well as your data storage and processing. If you don’t have one on staff, get an IT expert in to analyze your network to ensure you have proper protection. A simple firewall is no longer adequate.

Summary: Our Recommendations

Allocating time on your calendar towards getting compliant will be far easier and take less time that figuring out how to avoid it. Companies with less than 250 employees will be less likely to have a breach and will also be less likely to be targeted for audit or legal action by the EU authority. That said, it is good business to be transparent with your users/customers about their data, keep good records, encrypt the data, and reply to their requests around their individual data.

Questions about your website?