GDPR Compliance: Your Data Privacy Questions Answered

Even though the General Data Protection Regulation (GDPR) has been in effect for two years now, estimates suggest that the majority of companies have not yet reached GDPR compliance. With regulators enforcing the law with heavy fines and increased scrutiny in 2020, the year of online everything, what can you do? This Client is always on top of data privacy compliance, and we've put together a convenient guide to help you get your company into compliance. 

 

Seven-Step Guide to GDPR Compliance: Answers to Your Most Important Questions

1. Who Is Subject to the GDPR?

Even though the GDPR was approved by the EU parliament, it's not limited to businesses in the EU. The law specifically focuses on the data of EU citizens and residents. In a globalized world, this means that your business does not have to have a branch in the EU to require GDPR compliance.

 

If your business collects or processes the personal data of EU citizens or residents, then your company is subject to the GDPR's rules. This is always true if the collecting or processing is done within the EU's borders, but what happens when your business is located elsewhere, for instance in the United States? That's where the specific targeting requirement comes in. Let's have a look at what that entails.

 

Specific Targeting Requirement

The GDPR specifies that occasional or incidental collection of EU data does not necessarily mean that a company must automatically be GDPR compliant. Instead, there's a specific targeting provision in the law that your company should consider.

 

For example, if you're a pizza shop in New York City that takes orders online, it's possible that your business could receive an order from an EU citizen and thus have their personal information. That would probably be a rare occurrence and no cause for GDPR alarm.

 

Now, if that same pizza shop marketed itself heavily to tourists coming from the EU, perhaps sending them regular emails or providing coupons for EU customers when they visit the US, then the business would be considered subject to GDPR rules. If you have a top-level domain from an EU country, accept euro as payment, or provide alternate websites in languages specific to the EU, then it's more likely that the EU will see your business as targeting their citizens.

 

2. How Much Does Business Size Matter?

Small and medium enterprises (SMEs) get a few breaks. Businesses with under 250 employees don't need a data protection officer (DPO) or to keep records of how their customers' data was handled unless data processing and collection is a regular activity of the company.

 

No business is fully exempt from GDPR compliance, however. If you're collecting personal information and targeting EU citizens, you have to play by the rules.

 

3. What Kind of Data Is Protected?

So what data falls under the GDPR's umbrella? Virtually everything does. Any personal information, defined as information that can be reasonably connected to an individual's identity, can subject you to GDPR rules. Obvious personal info like names and addresses would qualify, but so do some less obvious cases.

 

For example, IP addresses are considered personal information since it's possible to get the exact identity of the individual via the ISP. Even information published under a social media pseudonym would qualify since it's linked to an email address which is also personal information. In short, just about any detail you can collect on a person qualifies. 

 

4. What Website Changes Should You Make?

If you haven't already, you ought to get your web designers to update your website with compliance measures. One of the most important is a prominent, plain language notification of what data your website collects and how it does so. Article 12 of the GDPR outlines this requirement and it's relatively easy to implement. 

 

5. What Data Security Measures Need to Be Implemented?

Your company should make every effort to minimize the risk of exposing private data. To do so, use encryption on all of your files containing personal information. You can also anonymize these files by removing connections to actual individuals' names or by deleting any key identifying information.

 

You'll also want to draft a security policy for your team members to follow. Most data breaches are not caused by clever hackers, but rather by employee error. 

 

6. What Consumer Rights Need to Be Considered?

The GDPR grants consumers several rights, including the right to request that their personal data not be sold or transferred to third parties, as well as the right to have their data deleted upon request. They can also simply ask to see what data you have on their person.

 

This is where you need to implement solid data management practices. If you don't know what data you have, you won't be able to comply with these requests. If you can't comply in a timely manner, the individual could raise a complaint and put you squarely within the regulators' crosshairs. 

 

7. What Happens in the Event of a Data Breach?

Should your company experience a data breach, the GDPR requires that you inform users within 72 hours. You also need to inform the data protection authority (DPA, not to be confused with data protection agreements).

 

Data breaches are becoming increasingly common and more businesses have been targeted in 2020 since more of our work has gone online. It's imperative that your business have the ability to track data and know where it came from and what it contains. Data breaches can be mitigated or even prevented using smart data management.

 

GDPR compliance may seem challenging, but it doesn't have to be. The key to making compliance easy is to have a data management platform that can identify data subject to GDPR regulations. That's precisely what This Client can do for you. Our platform parses your data and can categorize it quickly, allowing you to easily apply the proper permissions and ensure that sensitive information never leaves your servers. Call This Client today to find out how our platform can make GDPR compliance a breeze.