GDPR
What is the GDPR?
The General Data Protection Regulation (GDPR) is a law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also applies to the export of personal data outside the EU and EEA areas. (U.S. companies included)
This law and others like it will change the way businesses and organizations store and process personal information. Similar regulations are already being implemented here in the U.S. One example is the California California Consumer Privacy Act (CPPA) which was signed into law in June of 2018.
Even though it’s an EU thing, organizations and website owners everywhere need to pay attention
The GDPR was created to protect the rights of citizens of the European union with regards to the collection and use of their personal data. Organizations can be fined up to 4% of annual global turnover for breaching GDPR up to maximum of €20 Million.
Who Does the GDPR Apply to?
- Organizations processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. — This includes data collected from forms, ecommerce systems, membership systems, mailing lists, or any other personal data gathered and/or stored online.
- All organizations inside or outside of the EU that offer goods or services to EU data subjects residing in the EU (even if they are just visiting the EU).
- All organizations that monitor the behavior of EU data subjects. — This includes the cookies, browser information, device information, and other information your website requires for performance and personalized user experience. It also includes Google Analytics Data, and data needed to monitor the effectiveness of advertising.
8 individual rights under GDPR
GDPR grants eight specific rights to individuals their personal data:
1. Right to be informed
You must be transparent about how you use personal data. This is typically handled through your site’s privacy policy. (which you’ll likely need to update). In the event of a Data Breech, you need to have procedures in place to notify your customers within the 72 hour reporting timeline. This may mean appointing someone in your organization to oversee data protection and to help make sure your bases are covered..
2. Right of access
If a client requests their data, you must provide it to them in a commonly used format, such as CSV.
3. Right to rectification
You must allow a client to correct incomplete or inaccurate information.
4. Right to erasure
Clients can request deletion or removal of personal data when there is no compelling reason for its continued processing. Also referred to as “the right to be forgotten.”
5. Right to restrict processing
Individuals have the right to block processing of personal data. In such cases, you can store the data but no longer process it.
6. Right to portability
You must allow individuals to obtain and reuse their personal data for their own purposes. This means you must provide it to them in a common format, such as CSV.
7. Right to object
Individuals can object to having their personal information used. This includes for purposes of direct marketing, research and statistics.
8. Rights related to automatic decision making, including profiling
This rule specifies when you can use profiling and automated decision making. It also defines requirements that must be met, such as the individual providing explicit consent.