If your company has a web presence, GDPR is an issue for you.  This article will inform you of what GDPR means and how it can affect your company.

We will also look at how you can keep your company out of the “hot seat” and implement these policies within your business.

Let’s begin by defining GDPR, provide you a brief history of data use, and then look at how to keep your company in the clear.

Has your inbox recently been filled with notices that “Our company’s privacy policy has changed… “or you’ve received warnings while browsing a website warning you that the site has cookies? This is a result of companies enforcing GDPR legislation. GDPR stands for General Data Protection Regulation.

This new European regulation went into effect May 25, 2018, superseding the 1995 Data Protection Directive and 1998 UK Data Protection Act which implemented minimal standards until now. Over 22 years have passed and technology has vastly changed, including the amount and ways data pirates attempt to breach company information.

GDPR will give individuals more rights on how their personal data is collected and shared, and will hold companies responsible for what they do with data. This regulation ultimately gives individuals more control over their information.

GDPR will affect all companies in the European Union and any companies offering goods or services to the region. Companies have up to two years to come into compliance or can risk fees of up to four percent of the company’s global turnover.

Authorities anticipate that GDPR is the beginning of tightening e-privacy regulations across the European Union and global companies.  While your company may not provide goods and services in the EU, it is likely that that same or similar regulations will begin to be introduced around the globe. To read all 99 articles of the GDPR, you can access the entire regulation here: https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1532348683434&uri=CELEX:02016R0679-20160504

We’ll make it simpler for you; here is a list of the main points of GDPR:

First note that personal data has historically included name, address, and contact information. GDPR expands the definition of personal information to include IP addresses personal preferences, and any other personal information gathered from individuals that could identify them without a name.

• Companies must notify their customers if personal data has been compromised in any form at all within 72 hours of the breach.
• Companies must notify anyone they collect information from what they are collecting and how it will be used in very clear, non-legalese language, up to and including a cookie consent notice.
• Individuals are given more control by having to opt-in for data collection, the ability to opt out of mailing lists, and having their information deleted altogether providing there is no need for it to be stored going forward.
• Companies are responsible for appointing at least one lead that assumes authority for data protection – something like a compliance officer.
• Companies should have documented procedures that ensure data protection and minimize risk of compromising data from the beginning of every transaction through to the very end, including how to handle data breaches.

These are some things you can implement in your company, regardless of where you plan to do business that will not only keep you compliant with the GDPR and ready for regulations to come, but also keep you socially responsible, protecting your customers:

• Appoint a compliance officer or lead (or department depending on your organization’s size) to assume responsibility for “everything data” This includes documenting the process and flow of collecting data, storing data, sharing data, communications with customers about data, policies in case of breach, etc.
• Store all customer data in a secure database. Relay this information back to a portal where the customer is easily able to see and update information stored about them by your company.
• Have a clear data collection policy and privacy policy that you update regularly to keep current and communicate clearly and is available to the public by posting it on your website and pushing it out to customers who have opted-in to communication.
• Provide an opt-in option for consumers to provide their information after you have provided clear and understandable communication about how, exactly, you will use their information. Include a cookie collection consent on your website if your company uses cookies.
• Verify customer’s age before collecting information and received parental consent if individually is underage. GDPR defines underage as 15 and younger.
• Connect with all individuals that have already shared their data to give them the opportunity to know your privacy and data collection policies, what data you have about them, the ability to update that data including deletion, and the means to opt out of any future communication and/or data collection.

Becoming GDPR compliant is simple, but will require a concerted effort if your company is not already practicing these policies. Comment to share how your organization has implemented practices that are keeping you GDPR compliant and socially responsible.