The GDPR. It's an acronym likely to make many people nervous, but the EU's General Data Protection Regulation (GDPR) doesn't have to be. Even the most confident business leaders and marketers can be intimidated by data privacy laws, but they are simple to understand when broken down.
In this simple GDPR guide, we'll go over everything you need to know about this leading privacy law. We'll review the fundamentals, and also look at compliance.
You might be wondering how to stay GDPR compliant, but first, we need to lay the groundwork. Knowing how to work alongside this critical privacy law becomes easier once you understand what it entails.
In this section, we'll go over the fundamentals of the General Data Protection Regulation (GDPR). We'll learn what it is, who it protects, what rights it grants, and what your responsibilities as a business are.
The General Data Protection Regulation (GDPR), or GDPR as it is more commonly known, is a key European Union data privacy law. While it is intended for and protects EU citizens, its effects have spread globally since it went into effect on May 25, 2018.
It was designed, like most privacy laws, to give people a better understanding of how their data is collected and used, as well as more control over where and when that happens through the introduction of new rights. It is intended to strengthen millions of people's data security and impose stringent requirements on businesses and organizations to uphold those rights.
It's easy to read the GDPR and conclude that it only applies to European Union citizens. While this is correct, it only tells a portion of the story. To understand where the GDPR applies, examine the relationship between an organization and the user.
The GDPR applies if you run your business from within the EU, even if the data is processed outside the EU, such as by using a third-party tool or service provider. This means that you should apply GDPR principles to your entire business, even if most of your customers are located outside of Europe.
Organizations that are not based in the EU may also be affected by the GDPR. If you sell or provide goods or services to people in the EU, you must ensure compliance. As an EU citizen, they are protected by the GDPR and have certain expectations about how you handle their data, even if they are based in Canada, the United States, or elsewhere in the world.
Following the UK's exit from the EU, the GDPR no longer applies to your company's interactions with people in the UK. However, the Data Protection Act (DPA) applies and is the UK's implementation of similar principles. The UK GDPR, which works alongside the DPA and is closely related to the GDPR, also applies.
Given that it is nearly impossible to predict where your next customer will come from if you run an eCommerce business on a platform like Shopify, it makes sense to structure your business to be GDPR compliant. Even if you are not required to comply with GDPR, you may discover that other privacy laws apply to you. Brazil's LGPD, Canada's PIPEDA, and California's CCPA are examples of important data protection laws to be aware of.
The GDPR's six core principles are as follows:
Accountability. While not a core principle, it underpins the preceding principles.
You must be responsible and follow GDPR. (There were eight principles in the original Data Protection Act (DPA) of 1998. Six of these were similar to the current GDPR principles listed above. They were originally fairness and lawfulness, purposes, adequacy, accuracy, retention, rights, and security).
Complying with the GDPR is not only a legal requirement if it applies to your company, but it is also a good way to demonstrate to your customers that you value their data privacy and rights.
Companies rarely take a stand against complying with the GDPR. Most businesses have their customers' best interests at heart, but they can still fail to comply, for example, by keeping incorrect records or failing to respond to a data breach.
If an organization is found to be in violation of the GDPR, it may face fines of up to €20 million or 4% of its global turnover, whichever is greater. Not only that, but they may be subject to compensation claims for damages and, as a result, an intensive auditing program.
Since the GDPR's implementation, several high-profile and costly fines have been imposed on organizations. The French regulatory authority fined Amazon and Google €35 million and €60 million, respectively, in 2020 for depositing cookies without consent.
Even if you own a small business, noncompliance can be costly and damaging to your reputation. While you are unlikely to face fines in the millions of dollars, there are financial penalties and the possibility of damages costs to be aware of. Compliance should be prioritized to help reduce your risk exposure.
The first question to ask yourself is whether or not you collect personal data on your website. For instance, you could have a contact form that requests a name and email address. If you want to send marketing emails, include an 'opt-in' checkbox that explains how the data will be used. You may use the recipient's personal information for marketing purposes only if they check that box.
Also, ensure that the database in which the data is stored is secure. Your web hosting company or cloud storage provider can help you with this. Data storage in Microsoft 365 for business is GDPR-compliant.
The GDPR does not only apply to customer data; it also applies to employee data. Social media platforms such as LinkedIn are frequently used to find recruits. Make certain that no potential recruit data is stored without their express permission.
In the case of existing employee and new employee contracts, a signature at the end of a contract does not always imply consent, especially when a contract contains a non-affirmative clause. In this case, you must obtain explicit consent associated with the clause. What this means depends on your employee contract, but in some cases, you can use "legitimate interest" and include an employee data processing notice to ensure your employees understand what you will do with their data.
Don't be concerned about the GDPR and what it means for your company. You can take sensible steps to help you stay compliant and gain confidence in data privacy if you have a basic understanding of how it all works and what the risks are.