By now you may have heard about a new set of laws being about to take effect in the EU, called the General Data Protection Regulation (GDPR). While we, and many of those reading are likely doing business in the United States, it is still important to know about these new laws, and how they could affect you. Please take this information with a grain of salt, as we strongly recommend you engage in more research of your own and consult a legal advisor. While we’ve worked hard to learn a great deal about these regulations, we shouldn’t serve as your primary source of information, or a legal resource.
What you need to know
GDPR stands for General Data Protection Regulation, which aims to protect people’s data. The regulations will take affect on May 25, 2018, although the EU has been informing stakeholders about this since 2016. There are two main groups that the law aims to cover:
- Controllers: Entities that control personal data and the purposes for its use.
- Processors: Those who use the data as directed by the Controllers, by processing the data.
The law regulates all collection, storage, use, and sharing of personal data. Because of this, it casts a very broad net. This means that the collection and processing of any data that relates to an identified or identifiable person will be covered under the law. Example sources of linked identifiable data are:
- Sales databases
- Feedback forms
- Location data
- CCTV footage
- Health and financial info
- Photos with or without people
How GDPR applies to your US business
So how does this apply to your business based in the US? The short answer is if people from the EU use your site (and they probably do), the law may apply to you if you collect and use that data to make business decisions. Further, a company not established in the EU still may still be impacted if that company is offering goods or services (free or paid) to EU citizens. Monitoring the behavior of the EU data subjects within the EU is also likely within the scope of the law. This could be anything from putting cookies on websites (are you using remarketing as a tactic?), to tracking the browsing behavior of citizens, even high tech surveillance activities. Finally, the law limits the processing of data to only relevant situations for collection – which is a transparent, good practice anyway. This means orgs can’t reuse that information for any purposes not related to the original reason for the data collection (we’re looking at you, list purchasers and sellers).
Key rules to consider as an organization
- Transparency: Organizations must state upfront in a clear and easy way what data is going to be used for. They need to be transparent in the processing of consumer data. This means no more lengthy forms full of jargon, and obtaining express consent for data collection and use.
- Purpose: Only collect data in relevant situations when you know the purpose for that data. You can’t reuse information for any other purpose that isn’t related to the original reason for the data collection.
- Accuracy: Ensure that any data acquired is accurate and can be changed if there’s an error.
- Storage: Only retain personal data for as long as necessary to accomplish the purpose behind why you needed the data.
- Security: Have a system in place to ensure data collected is secure.
Key individual rights of users
- Access: You have the right to ask controllers how your data is being used and why it’s being processed.
- Removal: You have the right to ask controllers to erase your data and halt processing. (For controllers, you need to ensure you have the ability to do this)
- Portability: You have the right to take your data from one controller and give it to another.
- Privacy: Privacy settings cannot be an addition or an after thought, they need to be in place as part of the system’s original function.
GDPR exists to make sure companies are being held accountable for the data and information they have access to. It also serves to better inform users of how their data is collected, stored, used, and deleted. While GDPR is a European Union law now, many believe the law – or something similar to it – could migrate to the United States. So even hyper-local U.S. companies not collecting and using data are well-served in getting ahead of the curve and preparing for these changes now. Although it seems complicated, GDPR is a good thing for both consumers and businesses. The more we have a transparent exchange over how our data is collected and used, the better. Building trust with consumers should always be the goal, and managing this information well is a great way to do so.