Are You Violating the GDPR? Avoid These Mistakes.
What Exactly is the GDPR?
The letters GDPR are enough to invoke a physical panic response in many US-based businesses. GDPR, or the European Union’s General Data Protection Regulation, went into effect May 25, 2018.
The fundamental principle is the European Union wants to ensure its citizens better control over their personal data. The idea is that this is an opportunity for businesses to do a better job of protecting customer and client data and privacy.
EU citizens and residents have the right to decide how their data is handled. The GDPR stipulates that the data of EU citizens and residents belongs to them, and they have the right to decide whether to permit the use of that data or not.
Here Are Common GDPR Mistakes You May Be Making:
Thinking European Laws Don’t Apply to You Because You Are US-based.
Any business that handles the data of an EU citizen or an EU resident must comply with GDPR rules, regardless of where in the world that business is located. If an EU citizen visits and creates an account on your website, you are affected by the GDPR laws.
Not Correctly Identifying Personal Data and Information.
Identifiable information has evolved over time on the Internet. It is important to understand all the components included in “personal data.”
What is included in personal data?
• ID Number
• Physical data
• Physiological data
• Genetic information
• Biometric data
In order to be compliant with GDPR, all personally identifiable information must be protected. Businesses are responsible for protecting a wide swath of information, and that can include images, IP addresses, social media posts, as well as traditional customer information.
Failing to Understand the Entire Scope of the GDPR.
If your business only focuses on the basics of the GDPR, you are at risk of violating the complexities of the GDPR. Consent to use personal data, the right to have personal data erased, and the right to object to personal data being used for marketing purposes are fairly well-understood by most businesses.
There are other complexities of this long legal document that may require interpretation by a legal expert. The penalties for violation are severe, and businesses cannot choose to comply with certain parts of the GDPR while ignoring the rest.
Not Fully Complying with Right to Erasure
If an EU customer requests you to delete personal information, under the GDPR that means a comprehensive elimination of all data associated with the customer. It is not possible to retain that customer’s contact information for marketing purposes, for example.
Disclosure of Data Breaches
Compliance with GDPR regulations requires your business to maintain records of how you collect, handle, and store data. Every business must have data security measures in place.
In the event of a data breach, you have 72 hours to notify anyone affected. Failure to do so is a violation of GDPR.
Penalties and Fines
2018 was a time of implementation of GDPR. During this initial grace period, companies were warned about violations and given the opportunity to comply with the regulations.
Enforcement of GDPR is expected to begin in earnest in 2019. Companies ignoring or attempting to skirt the GDPR’s 100 page plus text will find themselves facing stiff fines.
Just how big are the fines? Up to 4% of global revenue, or 20 million euros - whichever is HIGHER. Ouch.
Review Your GDPR Compliance Now
With so much at stake, it makes sense to review your company’s GDPR compliance with all the regulations. The Data Protection Commission (located in Ireland) will be implementing and enforcing GDPR compliance by all businesses.
The goal is not to punish companies. The goal of the GDPR is to enforce compliance of the GDPR to protect personal data. Correct any GDPR errors you may be making to avoid potentially costly complaints.