WHAT IS GENERAL DATA PROTECTIONS REGULATION (GDPR)?The General Data Protections Regulation (GDPR) is a ruling intended to protect the data of citizens within the European Union. The GDPR is a move by The Council of the European Union, European Parliament, and European Commission to provide citizens with a greater level of control over their personal data.
BEFORE WE STARTThe information below IS NOT legal advice. I am not an attorney, and the information below only offers suggestions.
WHEN WILL THE GDPR BE ENFORCED?As of May 25, 2018, heavy fines will be levied against any business who does not meet the guidelines set forth by the GDPR.
WHO WILL BE AFFECTED BY THE GDPR?
The GDPR has far-reaching implications for all citizens of the European Union and businesses operating within the EU, regardless of physical location. If businesses hope to offer goods or services to citizens of the EU, they will be subject to the penalties imposed by the GDPR. In addition, any business that holds personal data of EU citizens can be held accountable under the GDPR.
What sort of data will fall under the General Data Protections Regulation?
- Name
- Photo
- Email address
- Social media posts
- Personal medical information
- IP addresses
- Bank details
The regulation specifies the entities that will be impacted by the GDPR. The wording specifically includes data processors and data controllers. What does this mean? Information that is stored in a “cloud” or in a separate physical location is still subject to penalties. Regardless of who has determined how your information will be used and who actually uses it, fines can still be imposed for misuse if it concerns the data of EU citizens.
MY BUSINESS ONLY TAKES CUSTOMERS FROM MY COUNTRY, WHY SHOULD I CARE?
The GDPR is all about protecting EU Citizens’ data, so as a Business in Australia for example, if you get someone filling out your form who also lives in Australia, but they are an EU citizen, you are now managing data from an EU citizen. Therefore you need to comply to the new GDPR laws.
Do data processors need ‘explicit’ or ‘unambiguous’ data subject consent – and what is the difference?
The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
WHAT SHOULD I DO TO MY WEBSITE, TO MAKE IT COMPLIANT
You should have a Terms and Conditions and Privacy Policy link on your website, added to advise customers how you are using and storing their data. This could be relative to your email lists, request more information signups etc. Registered Users, and Shopping Data. You should also have a checkbox asking for them to agree to your above mentioned terms (This also needs to be a seperate checkbox to your existing (Opt into marketing). You will also need to advise the customers how they can opt out at any time and specify how they can do this.
WHERE CAN I FIND OUT MORE INFORMATION
The GDPR portal is the main source of information and can be found here > https://www.eugdpr.org
You can get a Terms and Conditions or Privacy Policies created here https://termsfeed.com. But please remember, these documents are Legal Information, and are not Legal Advice.
WHAT HAPPENS IF I DON’T COMPLY
There is no definitive way on how this will be enforced globally, and will only really be shown as time progresses.