GDPR: four little letters that are striking fear into the hearts of security professionals and marketers throughout the world. If you haven’t heard of these upcoming standards, you likely haven’t been listening to the news or reading any type of industry communications for quite some time. If even after all the clamor you’re not quite sure how something happening in the EU could affect your business, keep reading! While these are generally European standards, there’s a high likelihood that these data requirements could cause you some heartache. There are some significant challenges for implementation, but the extremely high penalties may motivate you to move in this direction anyway. Here are the top five things you need to know to safely use and distribute customer data in the coming years.
What is GDPR?
GDPR stands for the General Data Protection Regulation enacted by the European Union two years ago, that finally goes into effect May 25, 2018. Many businesses have been preparing for quite some time — often with mixed results. There’s still a fair bit of ambiguity for companies about whether or not it truly applies to them, how stringently the requirements need to be implemented and more.
1. GDPR Is All About the Personal Data
The rules were created as a way to protect citizens in the EU with more stringent security policies around the storage, usage and distribution of personal data. The regulations are very specific, discussing even to the level of whether or not specific pieces of PII (Personally Identifiable Information) can be gathered, how long they can be stored, and how any data breaches will be managed.
2. GDPR Probably Applies to Your Business
If you do any sort of business with anyone in Europe — even as small as selling a single mug or another item to a single individual — then the GDPR laws are for you. If your vendors do business in the European Union, you will also need to be in full compliance. The tentacles of this particular set of regulations are far-reaching and are expected to be translated to the U.S. sooner rather than later.
3. All Types of Data are Covered by GDPR
If you are capturing, storing or distributing any type of data that can directly or indirectly point back to an individual and identify them, then that data is covered by GDPR. This includes specific tidbits such as:
- Email addresses
- Phone numbers
- Health information
- Personal data related to crimes or convictions
- Computer IP addresses
- Posts on social networks
- Bank details
- Biometric data
- Psychographics and demographics (e.g. race/ethnicity, religious beliefs, sexual orientation or genetic data)
4. GDPR Requires Clear and Explicit Permission
The days of “assuming” that it is acceptable to have a client’s information since they visited your website are over. Instead, GDPR requires that you receive explicit information from each individual stating that you are able to utilize their personal information. To take things a step further, if a customer requests that you “forget” their information, your business is required to do so immediately. Plus, you cannot hide your intentions in legalese. Instead, businesses must state in clear and simple-to-understand terms how data will be used, stored, shared and distributed.
5. GDPR Non-compliance Carries Some Whopping Penalties
The fines associated with these new policies are not insignificant — and include penalties up to 4% of a company’s global turnover or 20 million Euros, whichever is greater. Notifications must come quickly in the event of a breach, often within 72 hours in many cases. Failure to report a breach in time can cause fines as high as 10 million Euros, and that is on top of the cost of notification and any business losses caused by the breach.
The goal of the GDPR rules stems from the need to protect the privacy of individuals and encourages business to form a relationship with their customers instead of attempting to work around consent. Data should be cautiously cared for, with the easy ability of individuals to receive their data in a machine-readable format. Finally, customers deserve the right to be forgotten, requiring businesses to completely obliterate storage of and access to a person’s information. Want to learn more about the effect that GDPR can have on your business? Contact Coretelligent today at 855-841-5888 to learn more.