What is GDPR?
We’ve been receiving a lot of questions about the GDPR and we wanted to take a moment to explain it to you. We want to keep you informed on this subject, but also to show you what is yet to come.
“The General Data Protection Regulation (GDPR) is a regulation (binding legislation, not just a directive) by which the EU intends to strengthen and unify data protection for all individuals from the European Union (EU). It also addresses the export of personal data outside the EU.
It aims primarily to give control back to EU citizens and residents over their personal data and to simplify the regulatory environment for international business (any company that is gathering, processing or storing the personal data of EU citizens).”
GDPR also includes steep sanctions for any company that is not compliant with the GDPR regulation after May 25th, 2018, when the GDPR goes into effect.These fines can go up to 20 million Euros or 4% of annual global (note global!) turnover, whichever of both is highest.
Key Principles of GDPR
Here are the key takeaways you need to be aware of:
- Personal data collected needs to be processed in a fair, legal, and transparent way. It should not be used in any way that a person would not reasonably expect.
- Personal data should only be collected to fulfill a specific purpose and not further used in a manner that is incompatible with those purposes. Organizations must specify why they need the personal data when they collect it.
- Personal data held needs to be kept up to date and accurate. It should be held no longer than necessary to fulfill its purpose.
- EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hindrance.
- All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a data protection officer.
My company is not within the EU. Does the GDPR even apply to me?
It applies to all companies (globally) that are processing and holding the personal data of those residing in the European Union, regardless of the company’s location.
Why the urgency?
Although the GDPR was introduced two years ago, it becomes enforceable starting May 25, 2018.
We do not charge for services we offer. Do we need to comply?
Yes. The GDPR applies to firms that offer goods or services to EU residents irrespective of if payment is exchanged.
What type of data is considered to be “personal data”?
Any information related to a natural person or “Data Subject,” that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
How do I obtain consent?
In general, consent needs to be explicit, opt-in and freely given. This means the popular opt-out based consent of today will no longer be acceptable.
Does my business need to appoint a Data Protection Officer (DPO)?
DPOs must be appointed in the case of (a) public authorities, (b) organizations that engage in large-scale systematic monitoring, or (c) organizations that engage in large-scale processing of sensitive personal data. If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Let’s be honest – talking about data regulations doesn’t sound fun to the most of us. But if you own or develop websites that gather or process personal data, you can’t afford to bury your head in the sand.
We wanted to make sure you won’t be surprised by all the things that are coming and to reassure you that none of these changes will impact our principles and the way we’ve been operating so far. Your data is in safe hands and well-protected.
Want to know more? Contact us here.
Marko Tanaskovic | Growth Engineer & Business Intelligence / Digital Marketing Expert