GDPR

The General Data Protection Regulation (GDPR) was described by everyone as the European Union’s “game-changing data privacy law.” It went into effect in March of 2018 and businesses have been chasing compliance ever since.

They aren’t wrong. GDPR is the biggest data protection law to come about in the last 20 years since the internet, mobile devices, e-commerce, social media, and big data took off. It affects businesses of all sizes around the world.

But what does that really mean?:

In plain English, the GDPR set guidelines that businesses, organizations, non-profits, essentially anyone who touches someone’s personal information in connection with goods and/or services to EU residents. Money doesn’t even need to change hands – the rules can apply if you’re asking for people’s personal information in exchange for information, subscription to an email list, etc.

—-

GDPR instructs businesses and organizations, but at its core, it’s about giving individuals control over their data. GDPR includes a number of pieces in place designed to provide that control, including:

• The right to be informed
• The right to access
• The right to rectification
• The right to erasure/to be forgotten
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

Combined, all of these rights give EU residents the right to be informed and understand how their personal data is being collected, stored, and used by companies. Companies have to get people’s content before using their data and they have to delete it if you ask them to. Learn more about the full scope of GDPR rights and how they differ from the new data protection law, CCPRA.

Article 30 requires organizations to develop and maintain an internal Record of Processing Activities (ROPA). Without this record, it’s impossible to know what kind of personal data a company is gathering, how they’re storing it, and how it’s being used both internally and externally. Without this record, ultimately, it’s impossible to be fully compliant with GDPR.

On a financial level, non-compliance can be a killer. If you’re found out of compliance with GDPR, you risk a fine of up to 20,000,000 euros or up to 4% of your company’s profits from the previous year. (Whichever is higher.)

Compliance also creates transparency for your clients. Without it, your business risks serious reputational damage, loss of consumer confidence, and loss of business.

GDPR compliance extends past your own office doors, too. If your company has partners, they also need to be in compliance. That’s why vendor relationships are important to address when building your compliance – the trust factor is critical to doing business in a compliance-driven landscape.

Looking at the bigger picture, GDPR compliance can save your company time and money by prioritizing a streamlined data policy.

One of the major changes to privacy came with the way that GDPR defined “personal data.” GDPR took a more expansive view of the concept. Most companies view personal data as being names, emails, addresses, ID numbers. And it is!

But GDPR has expanded what personal data means in some big ways by including new categories of health, genetic, and biometric data. According to the regulations, these categories are “particularly sensitive in relation to fundamental rights and freedoms.”

GDPR protects the following types of information:

• Identity information. May include name, birthdate, address, and ID numbers
• Web data such as location, IP address, cookie data
• Health and genetic data
• Sexual orientation
• Biometric data
• Racial or ethnic data
• Political opinions

Interested in the whole list? Learn more about how GDPR classifies personal data here.

This is one of the most common questions posed by companies in the US. While GDPR deals with the rights of EU residents, it potentially applies to any company in the world. If your company processes personal data belonging to an EU resident, then GDPR applies to you.

What if no financial transaction happens?

Yes, potentially your company would need to be compliant with GDPR. If you’re an internet-based company that sells or markets products online to EU customers, you need to comply. If your company has a domain suffix for an EU country, ships to an EU country, provides translation of your site into a language of an EU country, or markets in that language, then GDPR applies to you. Are you B2B? If your customers serve an EU audience, GDPR compliance likely also applies to you.

Tracking information also counts. For example, if your company does market research on EU residents by tracking and collecting information to predict online behaviors, that qualifies.

What if we’re considered a public authority?

Public authorities or agencies make heavy use of personal data to deliver their services. That means they have the same responsibilities as private companies.

Data processor and data controller are big concepts in the implementation of GDPR. Companies need to determine if they are either a “data processor” or a “data controller.”

Under GDPR, a data controller is who’s responsible for getting consent for data and managing access to it. If something goes wrong – i.e., a data breach or mishandling of data – they’re on the hook.

A data processor, on the other hand, is simply that: the party that processes the data. This could be the data controller themself, but it’s often a third-party vendor. For example, if a company tracked its website data and ran it through Google Analytics, Google Analytics would be the processor. However, data controllers still have compliance requirements that need to be implemented.