Disclaimer: This article is not intended to serve as legal advice. If you’re preparing to comply with the GDPR, it’s up to you and your own legal counsel to determine how these privacy laws apply to your specific business.
On May 25, 2018, the most impactful data privacy law update in 20 years will take effect. The EU General Data Protection Regulation (GDPR)—developed to harmonize data privacy rules across Europe and provide heightened protection for EU citizens—is forcing businesses to closely examine and enhance their data management practices.
The EU Parliament approved the GDPR after four years of preparation and debate, and the 2018 enforcement date comes after a two-year post-approval grace period. Even so, many businesses are still working to bring their practices into compliance. Is your business prepared?
If you collect, process, or store the personal data of EU citizens, you’re obligated to comply with the GDPR legislation. To help you fast-track your preparations, here’s a crash course on the GDPR.
What You Should Know about the GDPR
The GDPR is a set of regulations that mandate highly transparent and secure collection of EU citizens’ data. The legislation protects personal data, such as names and email addresses, as well as sensitive data, such as biometric identifiers and political views. It also gives users control over their data. If you’re looking to get up to speed on the GDPR, here are three things to note:
- Its impact is more widespread than you might think.
- The consequences for noncompliance are hefty.
- The provisions fall into four high-level categories.
Let’s explore these areas a bit further.
Compliance with the General Data Protection Regulation is not limited to businesses located within the European Union. The GDPR applies to any organization that collects, processes, or stores personal data from those in the EU. Even if your business is based in the United States or somewhere else outside the EU, you’re still subject to the GDPR regulations if you offer products or services to EU citizens.
If your business fails to comply with the GDPR after the May 2018 enforcement date, it could cost you detrimentally. Organizations found in breach of GDPR laws could be fined up to 4% of their global annual turnover or €20 million—whichever is greater. Additionally, there is much speculation that enforcement will be heavy-handed early on to encourage companies to become compliant quickly.
The overarching principle behind the GDPR is transparent data handling that gives users control over their data. The main provisions within the legislation can be grouped into four high-level categories: communications, consent, data security, and breach notifications.
First and foremost, the GDPR mandates transparency and clarity for all communications related to the collection of personal data. This means anytime you collect information from EU citizens, you must ensure they know exactly how you plan to use their information. Where will it be stored? Will it be transferred to a third party? You’re obligated to answer these questions and more. You also need to have documented privacy policies that can be accessed and understood with ease.
Along with clear communications, you must provide users with opt-in consent. Gone are the days when it’s okay to pre-select the email consent box to offer opt-out consent. With the new laws, users have to provide distinguishable consent for your business to use their information, and the consent language must be informed, specific, and unambiguous. You’re also obligated to inform users of their right to access their information or withdraw consent at a later date. Additionally, if your organization wants to use collected data for a purpose that was not defined at the time of original consent, you must get updated consent from affected users.
Secure storage of collected data is also a big piece of the GDPR. To comply with the law, your organization must implement appropriate security measures to protect stored data from unauthorized access, disclosure, destruction, or alteration. You must also have a documented data retention policy that states how long your organization will retain a person’s information and provides lawful business reasons for the retention period.
Should a data breach occur, your organization has a much greater notice obligation under the GDPR than other data privacy legislation. If there is any sort of loss, alteration, destruction, or unauthorized access of the personal data you control, your organization must notify authorities of the breach within 72 hours.
What You Should Know about the Privacy Shield
If you own or operate an American business, you should be aware of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. The EU-U.S. framework essentially replaces the previous data privacy and protection standards known as Safe Harbor, which certified that businesses were providing adequate protection of personal data transferred from the EU to the United States.
The General Data Protection Regulation mandates that personal data leaving the EU only be transferred to countries that have adequate data protection laws—or laws that provide protections similar to those laid out in the GDPR. The Privacy Shield allows U.S. organizations and their EU partners to comply with this piece of the GDPR. Thus, if you are a U.S. company affected by the GDPR, you must also ensure you are in line with the Privacy Shield in order to be in full compliance with the GDPR.
How to Ensure Your Organization is in Compliance
To transition your organization to compliance with the GDPR by May 25, 2018, you’ll need to walk through several (likely cumbersome) steps. To make it easier, the Information Commissioner’s Office in the United Kingdom put together a 12-step guide to preparing for the GDPR. Here are a few of key tasks you need to complete:
- Audit your data management practices. What data do you have? Where is it stored? Do you share it with anyone? Do you have a lawful reason for collecting it?
- Update your forms to include proper consent language. Is your intended use of the collected data apparent? Is there a clear opt-in section? Have you given users enough information to consent?
The General Data Protection Regulation is forcing businesses to adopt best practices in data management as they work toward responsible, transparent data handling. While bringing your business into compliance likely won’t be an easy road, being a part of a unified data security scheme will be beneficial. In fact, according to Amy Saunders, media law expert and Northwestern University in Qatar associate professor, “the GDPR is certainly the most stringent mechanism for data privacy protection…so any business that is preparing to comply with the GDPR should be in good stead throughout the world with data privacy.”
Formstack has always made every effort to protect the personal data of EU citizens through previous Safe Harbor legislation and model clause updates. As such, we plan to be in full compliance with the GDPR by May 25.