You’ve probably been hearing a lot about GDPR -- or have been flooded by privacy policy update emails -- and you might wonder what it means for your business and website. GDPR (General Data Protection Regulation) was also a common topic at the recent Cybersecurity Summit. So, what is GDPR? The European Union (EU) started data protection with its first law in 1995, the Data Protection Directive. GDPR replaces that law in what the EU sees as their being at the forefront of privacy and data protection. The GDPR became enforceable on May 28th, 2018.
There are few things any business or website owner should know.
Who is subject to GDPR? In general, if you control or process personal data, then there are parts to the GDPR law that you must comply with. While this is a European Union law, it still applies to non-EU companies when the personal data being controlled or processed is that of a person residing in the EU. Yes, if somebody from the EU visits your website, and you gather personally identifiable information from them, then you must comply. Here is a good checklist to help you comply and navigate through your responsibilities.
Next, as an American small business, you probably wonder how to comply with GDPR. We’re not going to summarize the entire law here, as there’s plenty of resources on the web for that. But, there are a few things you can do to comply:
When it comes to typical digital marketing and your website, keep these in mind:
Many small businesses with fewer than 250 employees may think they’re exempt, due to exemptions spelled out in the law regarding record keeping. However, any business that holds personally identifiable information must:
Your site visitors under GDPR have the following rights:
The importance of cybersecurity for your business, in general, cannot be overstated. With GDPR, there is now one more layer of responsibility. Should your company incur a data breach and NOT have taken the proper security measures or NOT react properly, you could be in for some European heat. Until GDPR, businesses were likely most concerned with sensitive data, such as social security numbers and financial information. Now, the scope of data that must be protected has broadened. The consent and the reaction to a data breach mentioned above need to be part of your cybersecurity plan. Finally, you’ll need to look at your physical network as well as your data storage and processing. If you don’t have one on staff, get an IT expert in to analyze your network to ensure you have proper protection. A simple firewall is no longer adequate.
Allocating time on your calendar towards getting compliant will be far easier and take less time that figuring out how to avoid it. Companies with less than 250 employees will be less likely to have a breach and will also be less likely to be targeted for audit or legal action by the EU authority. That said, it is good business to be transparent with your users/customers about their data, keep good records, encrypt the data, and reply to their requests around their individual data.
Questions about your website?