GDPR: Everything American Businesses Need to Know About the EU’s New Data Regulations
The GDPR compliance deadline for all businesses operating in the EU passed on May 25, 2018. If you want to continue operating in the European Union, then you need to be compliant with the new General Data Protection Regulation (GDPR).
Keep reading to discover everything American businesses need to know about the new GDPR and how it applies to your small or medium-sized business in the United States.
You Need to Be GDPR Compliant Immediately
First, let’s make something clear about GDPR deadlines.
The European Union voted to approve the new GDPR earlier this year. The GDPR came into effect on May 25, 2018. The EU has been enforcing the GDPR since that date.
From May 25, 2018 onward, you have been required to be compliant with the GDPR. Companies that aren’t compliant with the new regulations face costly fines.
Any American Company with Business in the EU Needs to Be GDPR Compliant
You may have found it easy to ignore the GDPR. After all, how can a new EU business regulation affect you?
The truth is: any company doing business in the EU needs to comply with the General Data Protection Regulation.
If you have any business with any member of the EU – even a single member state – then you need to be compliant with the GDPR.
Regardless of where your company is located, and regardless of where your company processes data, you’ll need to comply with the regulation if you do business in the EU.
You can view the current list of EU member countries here.
Non-Compliant Companies Face Hefty Fines
Companies that are not compliant with the new regulations will face huge fines.
If you’re non-compliant with GDPR regulations, then you could be fined $24 million USD (20 million EUR) or 4% of your annual global turnover – whichever is higher.
Companies that Comply with the Old Data Protection Act (DPA) Are Ahead of the Curve
If your company already does business in the EU, then you may be compliant with the Data Protection Act (DPA) already.
The DPA is the predecessor to the GDPR. You’ll still need to make changes to comply with the GDPR, but you’ll be one step ahead of other businesses.
If you comply with the DPA, then most of your data management procedures will also be GDPR compliant.
GDPR Requirements: What You Need to Know and Do Immediately
The GDPR outlines specific requirements for handling customer data in the EU. The goal of the GDPR is to increase user privacy and encourage corporations to adopt stricter security measures. Some of the key points of the regulation include:
- There are now strict parameters for getting consent to use someone’s data. You’ll need to display an intelligible, easily-accessible form that uses clear, easy-to-understand language. Withdrawing consent must be equally as easy. Gone are the days of encouraging customers to click a box beside a 50 page “terms and conditions” disclaimer.
- Breach notifications need to be sent within 72 hours of the company becoming aware of the breach. If your corporation’s defenses are hacked, then you need to alert users within 72 hours.
- Users have a “right to be forgotten”. This right allows users to request their personal data to be erased. If users make this request, then corporations will need to stop disseminating the data and halt third parties from accessing that data.
- The GDPR allows the individual to request and receive personal data and transmit it to another data controller.
- The GDPR makes it a legal requirement that data protection be considered when designing a system. It cannot be an addition or an afterthought.
- Some corporations will be required to appoint a data protection officer, or DPO.
How to Prepare your Business for the GDPR
Take some time to prepare your business for the GDPR. As mentioned above, the GDPR came into effect in May 2018 – so you need to become compliant as soon as possible. Here are some tips for achieving GDPR compliancy:
Update your Privacy Notices
Today, many businesses send complicated privacy notices to users explaining how they collect and use data. This needs to stop. You need to update your privacy notices and explain to your customers how you use any personal data you collect. The privacy notice needs to explain the lawful basis for processing personal data.
Ensure You Comply with Data Portability Requirements
The GDPR outlines new data portability requirements. “Data portability” refers to the idea that a customer can access their data at any time, in commonly-used and machine-readable format. If a customer requests a copy of their data, then you need to provide that copy as soon as possible. Make sure your company is able to comply with that request and deliver customer data in a clear and easy way.
Make Sure You Respond to Access Requests in 30 Days
This relates to the point above. Most GDPR regulations require businesses to act within 30 days. If someone requests access to their data, then you’ll need to accommodate that request within 30 days. Make sure you’re able to respond to customer requests within that time period.
Review Consent Procedures
The GDPR focuses on consent, including how you seek, record, and manage consent. You cannot assume as user consents through silence or inactivity. The user must demonstrate a verifiable sign of their consent. We advise that you review the detailed consent instructions here.
Review Child Data Procedures
The GDPR outlines special protections for managing children’s data. Make sure your system is accurately verifying the age of users. You’re required to get parental or guardian consent for a child before processing that child’s data.
Data Breaches
Review your organization’s procedures for handling a data breach. The GDPR has specific requirements regarding how you handle a data breach. One of the most important requirements is that you respond to data breaches within 72 hours of becoming aware of the breach, “where feasible.” You can review the GDPR data breach requirements here.
Ultimately, if you’re already complying with the Data Protection Act (DPA), then you may not need to implement many changes.
Confused? Need to Make Your Site GDPR Compliant? We Can Help!
Our GDPR website update service is a big step in the right direction for your business’s GDPR compliance needs.
Our service will update your website with the tools to comply with many of the GDPR requirements, including consent, the right to be forgotten, data requests, breach notifications, and more.
If your business does business in the EU, if you’re seeking to do business in the EU, or if you want to be ahead of the game on compliance when the US and other countries follow with their own data protection regulations, then you should sign up for our service today. Being more transparent about your data protection process will only help build trust with your prospects and customers, not to mention avoiding the stiff fines and penalties for non-compliance – so the sooner you take action the better.
Get your site updated with our GDPR update service today!