GDPR – How It Will Affect Your Business

The General Protection Regulation (“GDPR”) is a European Union law concerning data privacy that was enforced on May 25, 2018. It applies to organizations that offer services to, or monitor the behavior of, European Union data subjects, regardless of where the organization is actually located. This means that GDPR applies to virtually every website in the world, whether it is in the United States or France. You should be concerned with GDPR due to the fact that if you do not comply, you could be fined up to 4% of your global turnover, up to €20 million. We hope that offering up some details regarding GDPR may help you comply.

Definitions

Let’s start with some definitions:

1. Data subject: a natural person that could be or is identified (e.g. Mary, who puts her email into your contact us form);
2. Personal data: any information that is or could be used to identify a natural person, such as a name, an identification number, location data, etc. (e.g. IP address);
3. Data processing: any operation or set of operations which is performed on personal data or on sets of personal data (e.g. organizing the data into a spreadsheet);
4. Processor: any party that performs the data processing;
5. Controller: person or company that determines the purposes and means of the processing of personal data (e.g. you, the website owner).

Requirements

Next, there are seven new requirements by the GDPR that you, as the owner of the website or application are subject to:

1. Right to access: You must provide users with a copy of their data for free within 40 days of request;
2. Breach notification: you must send out a notification within 72 hours of first becoming aware of a data breach. The notification must be sent to all of data subjects that are affected by the breach. Furthermore, data processors are required to notify users as well as the data controllers immediately after first becoming aware of the breach;
3. Request for consent: consent must be given in an intelligible and easily accessible form, with all relevant info about the data processing. It must be as easy to withdraw consent as it is to give it;
4. Right to be forgotten (data erasure): the data subject has the right to have you erase his/her personal data, stop further dissemination of the data and potentially have third parties also stop the processing of the data;
5. Data portability: the data subject has the right to receive the personal data concerning him/her, which they have previously provided in a commonly used and machine readable format and have the right to transmit that data to another controller; and
6. Privacy by design: calls for the inclusion of data protection from day one of designing systems. Requires that you hold and process only the data completely necessary (data minimisation) and requires you to provide the data to only those persons that need it.
7. Depending on the size of your company, you may need to appoint a person responsible for GDPR compliance.
8. Privacy Policy

GDPR Rights

GDPR also comes with a list of 8 different rights that people have. These include the right to:

1. Access
2. Portability
3. Rectification
4. Withdraw consent
5. Restrict processing
6. Opt out of direct marketing, profiling, and automated decision making
7. Delete data
8. Complain to Data Protection Authorities

While the above requirements may seem onerous, the best course of action is to fully understand and evaluate the data that you collect, keeping in mind that the more data you collect, the more difficult and time consuming compliance will become. Furthermore, you should have a concrete plan in place for responding to data subject requests and for dealing with potential or actual breaches. Need a plan? Our Privacy Policy Generator can not only create website policies for you, but will auto-update whenever privacy laws change or are created.

Protect yo self,
Team Termageddon