There’s been a lot of buzz around the May 25th, 2018 enforcement date for the General Data Protection Regulation, but there’s also been a lot of confusion and misinformation swirling around the topic. This article aims to give you some plain language clarification regarding what the GDPR demands of small to mid-size companies in San Francisco, and the steps your business needs to take to ensure compliance.
What is GDPR?
The GDPR or the General Data Protection Regulation is a set of standards set in place by legislation enacted in the European Union. In total, these regulations add up to more than 250 pages of legal documents.
The GDPR has been designed to protect the personal information of citizens of the EU from being misused and abused. It has been written to cover all commercial transactions in which an individual’s data is accessed, handled, stored, or otherwise “processed.” To cover this wide swath of commercial interactions, the GDPR had to be written in a way that applied to every company from the technology giants like Microsoft and Facebook all the way down to the small business.
As a result, the language used can be confusing, and the application to small and mid-size business can get lost in the mix.
What Businesses Are Subject To The GDPR?
If your business advertises to, collects information from, or makes products and services (even free products and services) available to anyone living in the EU, your company must comply with the GDPR.
In today’s internet connected, e-commerce world, the GDPR impacts a vast majority of companies.
A simpler way to state this is: “The GDPR is not simply a regulation for the EU and EU businesses. If someone from the EU could end up as a client or on your monthly newsletter email blast, you have to become compliant with GDPR.”
What Businesses are NOT Subject to the GDPR?
If your business only advertises to, sells to, and operates within North America AND your website forms and landing pages are set up to reject opt-ins from EU IP addresses, you don’t have to worry about meeting GDPR compliance. But if you make only one sale or accept one newsletter subscriber from the EU, you trip the wire and become subject to GDPR.
What Data Is The GDPR Intended To Protect?
The GDPR has been written to curb the abuse of the personal information of citizens and residents of the European Union. (It’s important to note that after Brexit, the UK has chosen to enact its own data privacy regulations, but they will be very similar to GDPR.) The personal data protected by GDPR includes, but is not limited to:
- Phone Numbers
- Email Addresses
- Government-issued ID – numbers associated with licensing, military, social services, and healthcare
- IP Addresses
- Credit Card Numbers and Banking Numbers
What does the GDPR mean by the “processing” of data?
“Process” is the word that the GDPR uses to encapsulate everything that a company does with the personal information of an individual. Processing includes the collection of data, the deletion of data, and everything that takes place between those two points relating to that data.
What Are The 6 Main Provisions Of The GDPR That Apply to Small to Mid-Size Business?
- Data must be processed lawfully, fairly, and in a transparent manner.
- Data must be collected for specified, explicit, and legitimate purposes.
- Data processing must be limited to what is necessary for the purposes.
- Data must be kept accurate, up-to-date, and corrected.
- Data cannot be kept (in a way that identifies the actual person) any longer than is necessary for the purposes collected.
- Data must be processed in a manner that protects the security and rights of the individual.
Each of these six main provisions should be explored by your lawyer to ensure that you and your data collection/use processes are in alignment with the nuances of each provision. Intivix specializes in the data protection aspect of GDPR compliance.
Answering Three Important Questions
- What data do we need to protect? – ANSWER: You are required to protect any data collected from individuals residing in or citizens of the EU.
- How are we required to protect the data? – ANSWER: You are required to meet certain baseline cybersecurity landmarks. To learn more about GDPR security requirements, please contact the Intivix team of IT security professionals at (415) 543-1033.
- Is it sufficient to notify people what data is collected, tell them how it is minimally used, and assure them that it is protected? – ANSWER: No. The GDPR requires that explicit permission is given for each action taken with an individual’s data. For example, an email address collected in a contest or free giveaway, cannot be used in a sales campaign email blast. GDPR is more heavily focused on companies obtaining permissions from individuals than it is with the companies providing assurances of data protection and use to the individuals.
What Should You Do To Become And Stay Compliant With GDPR?
Step #1 – Don’t Panic!
If you have already been moving toward caring about your clients, using their information in an ethical manner, and protecting their data while it’s in your possession, GDPR compliance is the next logical step. The UK Information Commissioner, Elizabeth Denham was quoted by Matt Burgess of WIRED.CO.UK as saying, “The GDPR is a step change for data protection. It’s still an evolution, not a revolution.”
Step #2 – Deal With Your Current Data
The data that you now have – names, email addresses, phone numbers – is NOT grandfathered into the GDPR. To use that data gathered from people in the EU for anything outside of the strict confines of what they originally agreed to, you have to get them to opt into your new “purpose” for their information.
For example, if you sold a product or service to someone in the EU, you cannot then use their name and email address to market new products or services to them. To do so, you must get them to “opt-in” to your newsletter/marketing emails now.
You need to make an effort to get your EU contacts opted into your newsletter or marketing emails now before GDPR begins to be enforced. Use of their data after May 25th, 2018 for anything outside the original intended purpose they gave you their information is a violation of GDPR.
Note: This ONLY applies to individuals in the EU. It’s important to segment your data – such as email lists – into EU and “not EU” going forward as they fall under different rules. Strictly following EU/GDPR rules for your USA and Canadian clients may limit your marketing effectiveness in those markets. — It is likely, however, that Canadian and USA law will follow suit over time.
Step #3 – Delete Old EU-Sourced Data
After you have made an effort to get your EU contacts to “opt-in” to whatever “purpose” for which you currently want to use their information, you have to delete all those that have not responded or have responded negatively to your attempts to get them to “opt-in”. Again, this only applies to the EU contacts, not North American sourced data.
Step #4 – Get the Right Consent on Future Data Collected
As we move past the May 25th, 2018 enforcement deadline of GDPR and you begin to collect data from prospects and clients within the EU, it’s essential that you get consent for each “process” that you intend to perform with their data. For example, processing a sale and processing (sending) monthly sales emails would require two separate consents.
Note: Under GDPR you cannot make one consent (the permission to send sales emails) a mandatory condition of the consent to purchase (or receive for free) a product from you. The consent for each “process” must be voluntary.
- Includes contact information for all relevant parties, training officer, and GDPR representative.
- Includes information describing what data your company collects, what you do with that data, and why.
- Includes information describing the automatic collection of data through platforms such as Google Analytics.
- Includes who you share data with. – Note: You don’t have to name each company that you do business with/share data with, but you do have to present the “categories” of companies that you share data with. For example, “companies providing email services” would be a “category.”
- Includes the rights the individual has over their data. – For example, the right to be forgotten and the right to revoke consents.
The Intivix team specializes in ensuring that your San Francisco Bay Area business IT systems meet the high standards set by GDPR for security, transparency, and compliance. We’d be happy to talk with you about how to get and stay GDPR compliant.
Want to read more outstanding helpful articles from Intivix? We have them for you HERE.