What is GDPR & how to make your business compliant?
What is GDPR and what do you as a business need for GDPR compliance? Here's a quick yet thorough guide for becoming GDPR-compliant.
If you own an email account (and we’re pretty sure you do!), chances are you’ve heard about GDPR. You may have seen it referenced in different websites you’ve visited. So what is GDPR? And what does a business need to do for GDPR compliance? This article will answer these questions.
What is GDPR?
The General Data Protection Plan (GDPR) is an EU law that serves to give EU citizens more control of their personal data that is collected and stored by companies online. But its impact is also being felt beyond the EU. Under GDPR, which went into effect on May 25th, companies must follow a strict protocol when it comes to collecting and managing user data to protect data from breaches, misuse, and exploitation.
In other words, if you sign up for an account (free or paid) with an online news site, that news site must follow specific rules about what it can and can’t do with the data you provide them. You now also have more control over your data, which leads us to the next point: The user perspective
What does GDPR mean for my business?
If you are a business that collects and manages the user data of EU citizens, B2B or B2C, you are obligated to comply with GDPR. There are many ways that this may affect your business operations such as advertising, product development, marketing, and more.
It’s advised to consult a lawyer to make sure you comply with the new regulations. Companies that don’t comply risk being penalized and heavily fined.
While GDPR has the greatest impact on large-scale businesses, like Facebook with a billion users and a business model built on monetizing user data—small businesses are also accountable.
Checklist for how to comply with GDPR:
1. Know what data you collect/manage and how you use it
Under GDPR, you need to clearly define the types of personal data you collect, how you are collecting it, and how you are using it within your business. There are two types of data: personal data vs. sensitive personal data. Personal data includes basic identifiers like a user’s name, address, email, photos, IP addresses. Sensitive personal data includes more personal (less publicly listed) info religious views, medical and mental health records, ethnicity, and sexual orientation.
2. Understand if and how you must acquire a user’s consent to use their data
Under GDPR, a business must now follow stricter rules when it comes to acquiring a user’s consent to use their personal data. Let’s take the example of email marketing activities. In the past, when marketers wanted to add users to an email marketing list, they would often pre-fill a “subscribe” checkbox. If the user did not un-check the prefilled box, they would by default be signed up. Not anymore. GDPR requires clearer, more active consent from users. You do not have to re-gain consent from existing users. But, moving forward, you need to clearly ask for consent and not pre-fill any forms that give consent.
3. Be transparent about how you use data
Under GDPR, you’re required to inform users what you’re doing with their personal data. You can make this clear to them by updating and re-sending your Privacy Policy and Terms of Service.
4. Make sure you are protecting user data
Your security measures and policies when it comes to protecting user data need to be GDPR-compliant. If, for example, you suffer a security breach that makes your user data vulnerable, you could be penalized. In general, encrypting user data can be a great solution for avoiding security breaches.
5. Be prepared to meet a user’s request for their data
Under the GDPR, citizens have much more control over the data being collected on them. A user can request to access all of their personal data from you, make changes to anything that’s inaccurate, object to data processing in certain circumstances, or request that you completely erase all of their personal data from your system. Each of these requests must be fulfilled within a month from the date of the request.
6. Make sure your partners are GDPR-compliant
In addition to being compliant yourself, you must also ensure that your business partners (suppliers, contractors, etc) are GDPR-compliant as well.
If you feel overwhelmed, don’t be. GDPR was designed to regulate businesses that conduct large-scale data processing, which is not common among small businesses. However, do your due diligence. Review our checklist and if you have further questions about compliance, consult your lawyer to make sure you are in the clear.
What does GDPR mean for me as a user?
As a general practice, most companies ask you, the user, for a certain amount of information. For example, you often have to give your name and email address when you create an account for an app like Instagram or your phone number for Uber. But what happens to your information beyond that point?
Under GDPR, EU citizens now have the power to understand how companies use their data. They also have the right to request that their data be changed or completely removed. This is a big change that really empowers users when it comes to their personal information. Of course, it also greatly affects the companies who have your data…