If you haven’t heard, there is a new regulation being implemented in Europe on May 25, 2018 called the General Data Protection Regulation (GDPR). It governs how EU member states handle personally identifiable private information. It provides citizens of the EU and EEA with more control over their personal data and better assurance that it is being securely protected.
You may think that, since your company is not part of the EU, there’s nothing you need to do to comply with the new law. Think again!
If your company processes or uses any personal data of EU citizens or residents, GDPR will apply to you, regardless of where your business is located…even companies in Southwest Michigan.
GDPR actually applies to ALL companies on ALL continents that sell to citizens in Europe or store personal information on them. Personal data is defined as that information related to a specific person, such as name, photos, email address, bank info, social media accounts, address, medical info or IP address.
It’s impossible to pinpoint a complete set of details on how your particular company will be impacted by GDPR without knowing more details about your business and situation. However, we can give you a general overview of how to prepare and comply with the guidelines.
Consent from the consumer is the key point of GDPR. This consent must be explicit without any ambiguity. This means there can be no more pre-checked boxes when people submit forms; they must all be unchecked with an explanation of what checking the box means. Another option is to provide a confirmation email that requires the recipient to click a link to consent. If you are dealing with a person under the age of 16, parental consent is necessary.
Even if a customer provides consent, that doesn’t mean it is effective forever. They have a right to withdraw consent and have the data erased (also referred to as the “right to be forgotten”). Or, if they are concerned about the accuracy of the data, consumers can freeze the processing of data until they determine if they want it used or not.
Consumers also have the right to request their data be transferred to another service provider. Businesses that process an individual’s personal data must provide them with a machine-readable format of it at the customer’s request.
If a data breach occurs, it is mandatory to report it within 72 hours to the supervising authority. You must also inform the affected individuals as soon as possible; timing is dependent on the severity of the breach and likely resulting damage to that individual. Businesses will need to submit a procedure to the regulators, detailing their process for notifications, should a breach happen.
It may seem overwhelming to get ready for GDPR to take effect, especially if you’re a small business that doesn’t have a dedicated IT department. The EU Information Commissioner’s Office (ICO) has compiled an online pamphlet detailing the steps you need to take to become compliant. Read through the pamphlet to determine if you are affected and how to prepare.
The ICO does recognize that small businesses have fewer resources and pose less of a risk to data protection; there may be more leniency given in relation to any non-compliance. However, you will still need to become compliant with GDPR if you process, collect, store and use personal data for any individuals located in the EU. Even if you’re not completely compliant by the May 25th date, you’ll be able to show you are working towards it.
If you are still unsure whether your business is affected by GDPR and, if so, how you can become compliant, Kalamazoo SEO for Growth can provide expert guidance.
Contact us today to learn how we can help your business in all areas of its online presence!