Disclaimer: We are not lawyers, nor do we provide legal advice. This article is an analysis of changes in business regulations. If you are looking for legal advice, consult a licensed attorney or firm in your area.
What Is General Data Protection Regulation (GDPR)?
GDPR is a recent ruling from the European Parliament on consumer data protection.
Almost every service on the internet involves the collection of our data. We send emails, buy online goods, and pay our bills by providing our personal information. These new reforms bring laws and duties to protect the privacy and consent of EU consumers.
The law was first adopted in April 2016 to replace an outdated data protection law from 1995. As of May 2018, it has gone into full effect.
Public Concern Over Privacy
Many privacy scandals have shaken the world over the past few years.
In 2016, two hackers broke into one of Uber’s third-party cloud services. They gained personal data on 57 million Uber users, along with 600,000 driver’s license numbers. Instead of announcing the data breach, Uber paid the hackers $100,000 to delete the data.
It wasn’t until a year later that Uber discussed the privacy breach publicly. Consequently, the corporation had to pay $148 million in damages.
In 2018, Facebook got caught in a political scandal that sparked a national debate on privacy. Facebook had been granting the data of 87 million users to Cambridge Analytica, a political consulting firm. Not only that, but Facebook had been selling its users’ data to tech companies such as Yahoo! and Amazon as well.
As a result, the public has become very concerned over their online privacy. Many believe that organizations don’t have their best interest in mind. Regulations such as the GDPR help keep businesses accountable and protect users’ privacy rights.
Who Needs to Be GDPR Compliant?
Due to its extraterritorial nature, the GDPR applies to more than just companies within the European Union.
US-based organizations that collect data of EU citizens across Europe must follow GDPR, but the regulation does not take into account EU citizens on American soil. Here are the specific criteria for companies that fall under GDPR standards:
- US organizations with any form of existence in an EU member state.
- Any business that handles personal data from EU citizens at some point of the buying process.
- Companies with more than 250 employees.
- Companies with less than 250 employees whose data-processing impacts the rights of EU citizens.
Companies need specific roles to ensure GDPR compliance. These roles include:
- Data controller: the data controller analyzes how and why companies process personal data. It is also their role to ensure that contractors and external agents comply.
- Data processor: This can be someone in your company or a third party that handles data processing. GDPR holds both your organization and processing partner liable for penalties.
- Data Protection Officer: Their role is to ensure companies adhere to the laws of GDPR. This is a mandatory role under Article 37 of the GDPR for all companies that collect EU citizens’ data.
You may ask yourself: how can the European Union impose its law outside its borders? Through mutual treaties, foreign powers can help other nations apply their statutes. Check out GDPR Article 50 for more information.
What Does GDPR Compliance Look Like?
Ability to Provide/Delete Data
After the end of service or on the expiry of a contract, businesses must delete all personal data they have collected from users. Users can demand their data erased if it’s no longer necessary or if they withdraw their consent.
Cookies on websites record vital information on a user’s browsing activity.
A cookie notice is the first banner that pops up on a webpage. Its goal is to let users know the site is using cookies and demands consent to protect their right to privacy. Requirements for GDPR compliance cookie notices include:
- Explicit consent from the website’s users.
- Specification of all types of cookies and tracking technology used.
- Easy to understand for users, making it simple to accept or deny consent on each type of cookie.
- The user must be able to remove their consent at any time.
- The user’s consent must be renewable every 12 months.
A form disclaimer describes how your company processes personal data on your webpage. Forms must be transparent, easy to access, and written in simple language. Here’s what you need to include in your form:
Contact details. Disclaimers provide your name, address, email address, and telephone number of your company.
Lawful basis for processing data. You must specify which one of the six lawful bases you’re relying on when it comes to processing data.
Your data collection process. Users need to know if you’re planning to share their data with any third parties.
How long you’ll keep personal user data. According to GDPR rulings, you can only hold data for as long as is necessary. Specify the time frame for which you’ll keep your users’ data.
Data subject rights. Each form disclaimer must list the GDPR’s eight data subject rights, which include:
- Right to inform
- Right of access
- Right of rectification
- Right of erasure
- Right of portability
- Right to restrict processing
- Right to object
- Right in relation to automated decision making and profiling
What Happens If You Are Not Compliant?
The Two Types of GDPR Fines
Articles 83 and 84 of the GDPR define which fines apply to non-compliant companies. The two types of fines include:
First rank: Up to $10 million, or 2% annual global turnover from the previous year. The GDPR takes into account which amount is larger. First level fines apply to companies when:
- An organization doesn’t have its records in order (article 28).
- An organization doesn’t notify the supervising authority on a breach (article 31, 32).
- A company doesn’t conduct impact assessments (article 33).
Second rank: Up to $20 million, or 4% of the annual global turnover from the previous year. The GDPR takes into account which amount is more significant. Second level fines apply to companies when:
- A company violates basis principles for data security (article 5), lawful bases of processing (article 6) and consumer consent (article 7).
- An organization fails to respect the rights of the subjects (articles 12 – 22).
- Personal data of users gets transferred to third countries (articles 44 – 49).
Criteria for Applying Fines:
The following criteria that play a role in determining a fine for non-compliance:
- Intention: Was the non-compliance intentional or negligent?
- Nature of violation: How many people were affected, and what damage did they suffer?
- History: Has your organization had previous experience with non-compliance?
- Notification: Did you report the infringement by yourself or through a third party?
- Preventive measure: Was your firm prepared in advance to prevent non-compliance?
Even if GDPR does not affect you currently, the US is likely to put similar policies in place soon. The GDPR has set a global standard on data protection, so it is reasonable to expect the US to adopt the same approach. Similar regulations are already present in certain states.
For example, in 2018, California signed the Consumer Privacy Act. By 2020, Californians will have the right to know what data companies hold on them and how they process it. They will also be able to decide whether they want third parties to access their data.
Data protection bills are already being pushed in Congress. The Data Care Act, pushed in late 2018, could completely change how US companies collect user data. Other senators are even planning to jail executives who mishandle consumer information.
Big tech companies are also jumping in to support new privacy protection bills. According to Julie Brill, vice president of Microsoft:
“Strong federal privacy should not only empower consumers to control their data, it also should place accountability obligations on the companies that collect and use sensitive personal information.”
What Should I Be Doing?
Start by talking to your legal team today to determine your specific requirements. As you work with them, make sure that your privacy notice gets an update to fit GDPR standards.
Once you have an understanding of your specific requirements, reach out to your marketing and development team to put GDPR policies in place on your site.
Have questions about implementing GDPR on your website? Reach out to us!