GDPR is a law governing how Internet users personal data can be collected, processed and used. This new regulation officially went into effect on May 25, 2018 and affects everyone in the European Union (EU). According to GDPR guidelines, website are required to protect site visitor's privacy and inform users about the type of data collected and what this data is used for, by:
- Requiring the users consent to collect and store data (via on screen cookie notification, Opt-in/Opt-out)
- Facilitating the ability to delete all data collected (upon the visitors request, via form or email)
GDPR isn’t just about consumer rights, it’s about enforcement. Under this current regulation the multi-level compliance structure built into the law (and the threat of heavy fines) will force larger companies to enforce compliance on small companies, and so on down the line by policing and enforcing the broad set of rules.
In case there was any question, GDPR also applies to United States companies with business overseas, including US business with a web presence. A number of organizations, who consider GDPR is just about updating their privacy policies, (which we've all seen tons of lately) could be financially hardest hit, if they don’t have the internal mechanisms in place to comply with the law. Not to mention that brand reputation could be more important and costly in the long run than avoiding fines.
Under GDPR, companies are required to ask to collect your data, to ask for consent to communicate with customers. It gives consumers more control to update, change, or correct data, and the right to figure out who is processing their data, potentially even a third party that might receive information.
GENERAL DATA PROTECTION REGULATION (GDPR) Reference Documentation
Assess Aspects of Data Processing
- Data Privacy Assessment
- Define the types of desired personal data to be collected
- Provide customers/users with an immediate on screen notification, and options for consent or decline (opt-in/opt-out) data collection (cookies, forms, etc.)
- Provide customers/users with a clear path to request removal of data from your system
- Define security measures, encryption and information safeguards
- Define outside third-party data processors/controllers compliance guidelines
- Define internal employee data handling policies and procedures
- For larger businesses a Data Protection Officer or team may be a consideration.
GDPR Internal Compliance Documentation (Policies and Procedures) - update and maintain...
- Retention Policy, define internal procedures for all data types processed and maintained
- Operations Policy, define internal information handling procedures
- Data Processor Policy, define data controller contracts procedures, including compliance guidelines
- Third-Party Policy, define external data management contracts procedures to ensure legal requirements are met
To keep the digital landscape safe for all it is important for the business owners, managers and web developers to understand their respective responsibilities and duties for all types of online interactions (B2B, B2C, C2C). This is not only ethically a good business practice, but now it's the law. Besides helping to protect your users/customers information from ever growing security threats, identity theft and fraud; this helps to protect YOU from liability and heavy fines if compliance is not met.