The General Protection Regulation (“GDPR”) is a European Union law concerning data privacy that will start to be enforced on May 25, 2018. It applies to organizations that offer services to, or monitor the behavior of, European Union data subjects, regardless of where the organization is actually located. This means that GDPR applies to virtually every website in the world, whether it is in the United States or France. You should be concerned with GDPR due to the fact that if you do not comply, you could be fined up to 4% of your global turnover, up to €20 million. We believe that a thorough understanding of the law may help you comply.
Thus, let’s start with some definitions:
- Data subject: a natural person that could be or is identified (e.g. Mary, who puts her email into your contact us form);
- Personal data: any information that is or could be used to identify a natural person, such as a name, an identification number, location data, etc. (e.g. IP address);
- Data processing: any operation or set of operations which is performed on personal data or on sets of personal data (e.g. organizing the data into a spreadsheet);
- Processor: any party that performs the data processing;
- Controller: person or company that determines the purposes and means of the processing of personal data (e.g. you, the website owner).
Next, there are seven new requirements by the GDPR that you, as the owner of the website or application are subject to:
- Right to access: users must be provided with complete transparency regarding how their data is processed and stored. You must tell the users what data you are collecting, where this data is being processed and stored and why you are collecting, processing and storing the data. You must provide users with a copy of their data for free within 40 days of request;
- Breach notification: you must send out a notification within 72 hours of first becoming aware of a data breach. The notification must be sent to all of data subjects that are affected by the breach. Furthermore, data processors are required to notify users as well as the data controllers immediately after first becoming aware of the breach;
- Request for consent: consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached. It must be as easy to withdraw consent as it is to give it;
- Right to be forgotten (data erasure): the data subject has the right to have you erase his/her personal data, stop further dissemination of the data and potentially have third parties also stop the processing of the data;
- Data portability: the data subject has the right to receive the personal data concerning him/her, which they have previously provided in a commonly used and machine readable format and have the right to transmit that data to another controller; and
- Privacy by design: calls for the inclusion of data protection from day one of designing systems. Requires that you hold and process only the data completely necessary (data minimisation) and requires you to provide the data to only those persons that need it.
- Depending on the size of your company, you may need to appoint a person responsible for GDPR compliance.
While the above requirements may seem onerous, the best course of action is to fully understand and evaluate the data that you collect, keeping in mind that the more data you collect, the more difficult and time consuming compliance will become. Furthermore, you should have a concrete plan in place for responding to data subject requests and for dealing with potential or actual breaches.
Protect yo self,