You’ve no doubt heard about the “GDPR,” which is short for General Data Protection Regulation, a new privacy law from the European Union. On May 25th, 2018, the GDPR replaces the previous European Data Protection Directive (that has been in effect since 1995).
The primary goal of the GDPR is to enforce a single data protection law and bring all EU member states into it, simplifying the regulation and enforcement of data protection. The GDPR creates guidelines/regulations on how data is processed, used, stored, or exchanged while making it more transparent to users who are providing their data.
Who the GDPR Applies To
Now you might be thinking that the GDPR doesn’t apply to you because you saw “EU” and you’re likely in the “US.” The GDPR doesn’t just apply to people in the EU but rather anyone who processes, uses, stores, or exchanges data of a EU citizen. In other words, if the following applies to you, GDPR needs to be taken into account for your business or website.
Your business has a presence in any EU country.
Your business does NOT have a presence in the EU, but your business or website processes any data of EU citizens.
In short: if your business is established in the EU or a portion of your customer base (or anyone you are using data for) is in the EU, you are responsible for complying with GDPR.
What Is Considered “Personal Data”?
When factoring in a privacy policy and how you structure the management of customers’ or users’ data, you’ll need to know what classifies as personal data. Any of the following is considered personal data of EU citizens, which boils down to any information relating to an “identified” or “identifiable natural person.”
Basic Identity Information – including name, email, address, ID numbers
Web Data – IP address, location, cookies, RFID tags
Health Related Data – about an individual’s health, their genetics, and biometric data
Racial and/or Ethnic Data
Political Opinions
Sexual Orientation
And any other information that can be directly linked to an identified or identifiable person.
Security Actions You Will Need to Consider
GDPR has provided a set of instructions that may be required, depending on your business and how you utilize the information of your customers/users.
Encrypt and pseudonymize the personal data of customers/users.
Make provisions for regular testing an evaluation of technical and organizational policies for the security of data.
Maintain confidentiality and integrity of processing systems and services used in relation to personal data.
After any physical or technical incident, restore the availability and access to personal data in a timely manner.
Summary of the GDPR
There’s a lot that goes into the GDPR and the new regulations on how you handle the personal data of EU citizens, especially when you consider that penalties can be in the millions of euros. There’s no need to be intimidated as you learn more about the GDPR and what you need to do (and if you even need to do anything). You can always consult with experienced web professionals who have a clear understanding of the GDPR and what your business or website will need to do in order to effectively comply with the new regulations.
Contact us today at C2CG about all things GDPR. We’ll take hard work off your shoulders regarding GDPR compliannce.