GDPR: What It Means For Your Business If you’re a business owner, you have undoubtedly heard of the passing of the GDPR on May 25th, 2018. As a web development agency in Chicago, Codal has been acutely aware of this legislation and its breadth. Yet, this astronomical legislation was a long time coming- the GDPR’s construction started in December 2015. The General Data Protection Regulation, or most commonly referred to as the “GDPR,” is a European Union privacy and security law. Now, I know what you’re thinking. How does this impact my business if I am in America and my business is based in the U.S.? Since GDPR involves any personal data that EU citizens provide, its reach is far beyond Europe. Thus, if your business operates in the European Union, offers services/goods to EU citizens, or essentially accesses any part of the EU- you must be in compliance with the GDPR. The GDPR is the largest cybersecurity update in the past two decades: giving data control back to the user and limiting the extent that businesses can use this information.
Source
The price for not complying? Lawsuits and fines galore. Now, that’s scary. And for the sake of user cybersecurity, it’s meant to have that fear factor. As a web application development agency in Chicago, that works with a number of companies that are affected by these laws- I understand the unease that you must being experiencing. However, we are going to delve into this cryptic legislation together and determine what it means for your business. Taking A Bird’s Eye View If your business falls under the breadth of the GDPR, the first thing to do would be to take a step back and look at the data being collected holistically. What are you collecting this data for, and are your users aware of these uses? The GDPR emphasizes that users have control over their “personal data.” Forbes simplifies and lays out what this would encompass: personal identifying data (name, address, date of birth, web-based data (location, IP address, cookies), health/genetic data, biometric data, racial/ethnic data, political opinions and sexual orientation. That’s a lot of data. If your business is using any of this information, it is pertinent that you check your privacy agreements to be in accordance with the GDPR (Article 7 in the legislation). Are users explicitly agreeing to the following ‘terms and conditions,’ that would allow you to use this data? If the answer is no, your privacy agreement may be due for a facelift. No matter what your answer is, GDPR is a reminder that your privacy agreement could probably use an update. This is why so many users have been receiving emails asking them to review changes in these privacy agreements. I would recommend following suit: once you update the agreements, let users know of these changes and require them to re-agree. If you’re looking for an example of GDPR compliant privacy agreements, Google has a good example of their user policy here or here.
Review. And if necessary, be sure to revise promptly. Hire A Data Protection Officer In addition to a potential update in privacy agreements, a business should consider hiring a data protection officer, or a “DPO” for short. A data protection officer ensures that a business is adhering to all aspects of the GDPR. DPOs also work on data protection strategy and the implementation of new security protocols. Additionally, a DPO has to conduct audits of a business’ security, train other employees about data processing, and more. Depending on the amount of data your business processes, GDPR may require you to hire a DPO. We recommend taking a look at the GDPR legislation to see how your business fits into this requirement. Who knows, your new DPO might become your right-hand man. Plans And Records As the GDPR is put into effect, businesses also need to create a Record of Processing Activities (RoPA). The RoPA includes: information about the data controller, purposes of processing, and the security measures put in place. Article 30 details this portion of the GDPR in further detail. Another important addition to the GDPR is its policy regarding data breaches. The GDPR requires companies to report breaches within 72 hours of the incident occurring. That’s a quick turnaround. This short timeline means that companies should create policies on how they might handle a data breach. The quicker breach plans can be implemented, the sooner a business can minimize the damage and lay out its next steps - all while fitting in with the GDPR requirements. However, if a company fails to report a data breach, they will face hefty fines. Better safe than sorry, make sure your business is in line with the GDPR requirements.
What Next? The bottom line is that you should get your business to be GDPR compliant as soon as possible. Though the full GDPR requirements are much lengthier than this article, it’s a good starting point to refining your business’ data protocols. This includes a dvertising and the social media realm! Prevent the excessive fines and lawsuits - get on board with the GDPR. And while you’re in the mindset of updating your business, get in contact with an eCommerce web design company to help your users find your security policies and privacy changes with ease. UX Design & Software Development Agency Written by Taylor Cygan