In April 2016, the European Union passed the General Data Protection Regulation (GDPR) to protect the data privacy of people in the European Union. If you work for a company that operates in the US, the passage of this regulation may not have been on your radar. However, the GDPR becomes enforceable on May 25. If there’s any possibility you deal with the personal information of someone in the EU (and possibly EU citizens residing in the US), this regulation may apply to your company, especially if the data is collected while the individual is in the EU. More specifically, you could be found in breach and be assessed a fine of up to 4% of annual global turnover or €20 Million (whichever is greater).
While there is some debate about who and in what circumstances the GDPR covers, there are some calling for the US to move toward stricter regulation of how personal data is collected and used. Even if it turns out that the GDPR isn’t applicable to your business practices, it’s a good idea to take steps to adopt a few best practices when it comes to working with personal data, like names, locations, IP addresses, and physical, physiological, genetic, mental, economic, or cultural and social identities.
There are a few steps you can take to make sure your company is prepared.
- Perform a Personal Data Audit - Understand what your current practices are in relationship to the personal data you gather and process. Document what type of data you gather and hold, where you got it, and what other organizations you share it with. Get a strong understanding of how you seek, obtain, and record consent to use data, and how long you are keeping the data. This is just common sense. If companies are required to follow certain regulations about how data is used, what it is used for, and how long it’s held, it’s important to know what your current practices are. Documenting your processes is also a requirement of the GDPR.
- Clearly Communicate Reasons for Gathering Data - Review your opt-in practices. The GDPR forbids data-gathering forms with pre-checked boxes to opt in to mailing lists and requires clear language about what the data will be used for. Adding double opt-ins when gathering data is also a good way to ensure you are clearly communicating what you are gathering the data for and receiving the appropriate consent. It’s also important to be aware of the the requirements about dealing with consent from minors.
- Update Security Measures - Determine whether you are taking the appropriate measures to keep the personal data you process secure. This includes having a process in place to detect data breaches and communicate those breaches within 72 hours as is required by the GDPR.
- Get Ready to Respond to Requests - Implement procedures to process requests regarding personal data in a timely manner. The GDPR gives data subjects the right to access, change, delete, or move their personal data. You must be able to comply with these requests within one month.
- Name a Data Processing Officer (DPO) - If you frequently deal with the personal data of people in the EU, you may be required to appoint a DPO to oversee compliance with the GDPR. While making someone in your organization responsible for GDPR compliance is a good idea, it is required under certain conditions.
The impact of the GDPR on companies in the US is still a little unclear. However, a thorough evaluation of your company’s collection and usage of personal data is still a good idea. Using the GDPR as a guideline can help you and your legal team create a set of procedures that lines up with best practices when dealing with the rights of data subjects.
For more information, you can read the regulation at https://gdpr-info.eu/.
Station Four can help you assess your GDPR compliance requirements. Call us at 904.399.3219 or email Chris Olberding at firstname.lastname@example.org.
Aimee Payne is S4’s Marketing Manager and official wordsmith. With a background in copywriting and market research, she’s fanatical about clear communication that is targeted toward the audience’s needs. When she’s not writing for our clients, she’s at home writing novels between watching true crime documentaries.