The General Data Protection Regulations(GPDR) are still causing business owners some confusion. This article will help you to understand your obligations.
It’s important that you adhere to GDPR protocols because non-compliance can land you a hefty fine. To date, the Information Commissioner’s Office has recouped almost 3,000,000,000 euros.
Not bad for five years of work.
Whilst the likes of Google and Facebook — the tech giants responsible for cheating data protection laws — can legally acquire personal data from their users, the average business is at risk of going out of business if you suffer a data breach.
“The organizations that have taken the biggest hit, it seems, are the smaller companies that had to overhaul their programs to conform to the new GDPR rules. As a result, they likely lost some footing while restructuring their programs. Meanwhile, Google and Facebook continue to grow their domain.” ~ Fast Company
Does GDPR Apply To Your Business?
GDPR applies to most businesses in the world. If you collect any type of personal data from UK and European natives, GDPR affects you.
If you collect cookies, IP addresses or location data, you are obligated to comply with GDRP protocols. The same applies if your offer downloadable content; i.e courses, newsletters, whitepapers etc.
What Constitutes a ‘Breach’ Under GDPR?
Companies are in breach of GDPR if you:
- Store personal data without the consent from individuals
- Sell or share third-party data without consent
- Misuse
- Lost or destroyed
- Data breach
- Updated without individuals consent
- Failure to appoint a data protection officer
Violations of GDPR are judged on a case-by-case basis. To get an idea of the reasons and amounts of fines, check out the GDPR enforcement Tracker. And for more information on GDPR, check out this cheat sheet.
What are Your Obligations Under GDPR?
1. Consent
You must ask the user for consent to store any personal information.
2. Opt-in must be clear
Consent is typically given by an opt-in process, but how you store and use data must be clearly stated in your privacy policy.
3. Permission must be fair
Blanket consent forms are not permitted. For example, a pop-up box informing users that your website uses cookies does not give you the right to acquire data other than the unique user ID, not the name or address of the user.
4. Keep consent records
You must be able to demonstrate when you have been given consent to collect data. For example, if a visitor to a website downloads a pdf, the date of the download must be recorded.
5. 30-day Deadline to fulfil requests
Internet users have the right to request and retrieve personal data for which they have given consent. They can also ask you to update information or remove it. You have 30 days to fulfil the request.
6. Install adequate technologies
Companies are obligated to install effective and recognised IT security technologies as part of their wider GDPR responsibilities. In addition, you must have a process in place that ensures personal data is not lost, stolen, destroyed or illegally changed.