Have you thought about data privacy lately?
Do you have clients or customers in Europe? May 2018 is going to be a big month for data privacy laws that affect your business. If you haven’t heard about it already, on May 25, 2018, a new law is going into effect that requires companies that collect data on citizens in European Union countries to comply with strict new rules that require businesses – including those here at home – to protect personal data and privacy. Known as the General Data Protection Regulation, or GDPR, the new rules protect privacy of data that includes, among other things, names and addresses, IP address and location data, and other personal behavioral information. The GDPR is the first major change in European data privacy laws in over twenty years, and was adopted in April 2016.
Does your company need to comply? In general, companies must comply if they have a presence in an EU country or process personal data of EU residents who are in the EU when the data is collected. There are certain limitations on the applicability of the rule to companies with fewer than 250 employees: Those companies must still comply, albeit with lesser recordkeeping requirements. If you market your website to citizens of the EU, you should consider whether you must comply with the GDRP.
Do you use third parties to process data? Your company may be responsible for the compliance – or lack thereof – of those third parties, and if those companies are not compliant, neither is your company. Check and update your agreements to add some "teeth" for noncompliance by your third party providers.
What does it mean to comply? For starters, companies responsible for compliance will need to update their online content so that EU residents must explicitly consent to the collection of their data. Once collected, there are strict data security standards that must be followed to protect the data. Under certain circumstances, EU residents must be given the right to request that their personal data be erased and also to transfer their personal data from one electronic processing system to another. Data breaches must be reported within 72 hours.
The GDRP allows the EU to levy significant fines for failure to comply. To be able to demonstrate compliance with the GDPR, companies should implement measures and policies to prove that they comply with the new standards, and in certain circumstances must designate a Data Protection Officer (DPO) to oversee those measures.
If you have questions, speak to an attorney or IT-professional with knowledge about the changes and requirements.