Breaking it Down: Upcoming GDPR (General Data Privacy Regulation) Legislation.

Nate Politi

Category: Development

05.17.2018

Wait, what?
On May 25th, a new law goes into effect in the European Union in order to protect citizens from abuses of their personal data. It is called the GDPR, or General Data Protection Regulation.

But I don’t live in the E.U., and my company doesn’t operate in the E.U.
It doesn’t matter where your company is located, it only matters where the data you have is coming from. If an individual American company has European Union data in its possession, that data must be compliant with GDPR.

What if I don’t comply?
Companies who don’t comply can possibly be fined up to 2% of their worldwide annual revenue from the previous year. That’s a pretty penny.

Ok, what kind of data are we talking about?
This applies to any data that can be used to “directly or indirectly” personally identify someone. Think Name, Email Address, Phone Number, photograph, IP address etc.

But only people in the E.U., right?
This law applies only to data collected from EU residents.

What should I do?

  1. Figure out what personal data you might have, and document it. Think about your website, your email marketing, etc.
  2. If you share any of that information, document that, too.
  3. Review any privacy policies that you have in place. Plan to update these in advance of May 25th. If you don’t have a privacy policy, write one which explains what personal information you collect from visitors, how you use it, and how you keep it safe.
  4. If you collect any personal information impacted by the GDPR, get rid of it, or identify your “lawful basis for processing personal data” and document that in your Privacy policy.
  5. Update any data collection methods you use to collect the minimum amount of personal data necessary.
    1. If your methods do not allow users to provide consent that their data to be collected, they need to be changed. For example, email Sign Up forms should not automatically opt users into lists. Users must have the ability to opt themselves in. You must have proof of opt-in. For existing lists that means you should delete the data, or send an email allowing individuals to re-opt in or be removed.
  6. Designate a Data Protection Officer if required (specific requirements noted at the resources linked below).
  7. Put a plan in place for data breaches. For example, how will you detect it? Who will you report the breach to? How will you investigate and correct the breach? Information on the requirements in the event of a data breach can be found here.

Ensuring compliance is the responsibility of companies. If you want to get more specific, here are two important resources:

fortune favors

the bold

We collaborate with tenacious organizations and ambitious people.