What does the General Data Protection Regulation (GDPR) mean, and what does it mean for my business?
Who and What
The rustling of legal papers, tapping of keypads and swiping of screens is upon us as the European Onion’s General Data Protection Regulation (GDPR) is set to come into force on May 25, 2018.
The GDPR marks a large change in data privacy that will likely have an impact on any company with a website. (I.e., everyone.) It is no longer territorial or limited by geography. These new laws focus on the individual – namely the EU citizen – and any company processing or holding personal data on those individuals will be caught in its net.
If you are a company with a form on your site, you should read on, as all it takes is one interested Frenchman to fill it out.
Personal data is defined as “anything from a name, photo, email address, bank details, posts on social networking websites, medical information, or a computer IP address”. That last one is particularly interesting as a lot of web services use it. Web forms of any sort. Various tracking services. And lots more.
Asking before you take is not something most sites are very good at. These new regulations require consent from the user in “an intelligible and easily accessible form, with the purpose for data processing attached to that consent”. We have to tell users what we are collecting and why in an unambiguous way, using clear and plain language. In other words, no more pages of terms and conditions malarkey.
Also, parental consent is required for users under 16.
Oh, and users must have the ability to not accept, too.
These are key changes from the UX troubling cookie consent messages we see on “international” sites currently, and it will require the input of lawyers, designers and developers to work out how to handle and implement across the web.
Better Safe Than Sorry
The GDPR is aimed towards larger companies collecting large amounts of data. But, it will affect a lot of smaller organizations too. The penalties and fines for noncompliance are 4% of global revenue, capped at 20 Million Euros.
Obviously, this is a lot of information to throw at you. Our apologies. Sooner is always better in our opinion, and with your best interests in mind, we want you to be ready.
Summary of Key Changes
- Rules now apply to ANY company in the EU collecting data on EU citizens and ANY company outside the EU who offer goods or services to EU citizens.
- Fines up to 4% of global turnover.
- Clear and unambiguous user consent is required to collect data and must be able to be withdrawn as easily as given.
- Any data breaches must be reported within 72 hours.
- Users can ask for a copy of the data you are storing on them for free at any time.
- Users can ask to be forgotten – have their data erased.
- Big companies may need to employ a Data Protection Officer.