The General Data Protection Regulation (GDPR), instituted as a regulation by the European Union (EU) and European Economic Area, applies to any website no matter what type of business you're in.
The regulation went into effect on May 25, 2018, but there is still a lot of confusion surrounding how to become GDPR compliant and to whom the rules apply.
The regulation affects 28 EU countries, but here is the kicker — if you offer goods or services to anyone within those 28 countries, the rules apply to you. Yes, even if you live in the United States. The regulation requires people to be compliant, so now is the time to get your privacy policies updated and ensure you're compliant with GDPR regulations.
Right behind the GDPR is the new California Consumer Privacy Act of 2018 (CCPA). The CCPA aims at larger companies that collect data and take in revenues above $25 million, so it won't apply to most small businesses. If you are GDPR compliant, you'll be well on your way to being CCPA compliant.
Here are seven considerations to keep in mind as you strive for compliance by the first of the year.
1. Avoid Penalties
The penalties for not being GDPR compliant are stiff. The maximum penalty is €20 million or 4% of global annual revenue. Even though the penalties may only apply to extreme cases and intentional violations, the possibility of a hefty financial fine exists.
For most small business owners, even a tiny penalty would destroy their business. The litigation fees alone could be enough to drive them into bankruptcy. It's much easier to ensure you're GDPR compliant than to risk a fine.
2. Confirm If the GDPR Applies to You
If you want people to trust you with their information, share what you do with the information you collect, whom you share it with, and the steps you take to protect that information.
3. Secure Your Data
One of your responsibilities under the regulation is to protect the data you do collect. You should have security measures in place to prevent a data breach, including firewalls and monitoring your site for vulnerabilities. If you run a WordPress blog, this might be a simple matter of installing a plugin and using complex passwords.
Organizations that collect sensitive data, such as Social Security numbers, should take additional measures to protect that information from a data breach.
4. Inform People of Breaches
Another aspect of the GDPR is that you need to inform your customers anytime there is a data breach. They should know someone may have stolen their information so that they can take measures to protect themselves from identity theft.
5. Protect Private Information
In a class-action lawsuit against Google, parties settled for $8.5 million because Google violated regulations by sharing private information by showing search terms users typed into Google's search bar. The moral of this story is that you need to protect personal information users share.
The best course of action is not sharing information with third parties. If you want to partner with another company, share news about the other company with your followers, rather than providing your customers' information to the company.
- What personal data you collect and how you use it. Also, include information on how long you keep the data and who has access to it.
- Who your data protection officers are and how to contact them.
- Statement of users' rights under the GDPR — more on this below.
You'll need to thoroughly explain why you're collecting data if you're disclosing to third parties and mechanisms used to transfer data outside the EU. The policy should be easy for users to find and displayed from the first moment of contact, such as when someone lands on your website homepage.
7. Explain Their Rights
Users have eight rights under the GDPR, and you should inform them of those rights, which include:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights to automated decision making and profiling
Be sure to explain everything clearly and in language the average person can understand. You also must provide free details related to an individual's private information and what you do with it.
Get GDPR Compliant Now
If you haven't yet updated your privacy policies, you're a few months behind. It's urgent to get compliant immediately. Even if you haven't collected information from someone out of the country, you never know when a new contact from one of the 28 nations will land on your page and share their details.