If you think Facebook is the only company that needs to think about data privacy and security issues, unfortunately you are mistaken. Right now, most companies need to consider whether or not there are prepared to protect the personal data of their customers. Not only because of the outrage and backlash that companies face in the aftermath of a breach but because of regulations like the GDPR and other data protection laws. The General Data Protection Regulation (GDPR) is a regulation that has been passed by the European Union and is set to be implemented in May 2018 and companies need to take steps to meet GDPR compliance requirements.

What if your company has no presence in the EU?

GDPR could still apply to your company if you offer goods and/or services to people in the EU and you collect data from them or if you process data received from a third party who does. This is important because non-compliance could result in massive fines up to 20 million Euros or 4% of global company turnover, whichever is higher. These fines are high due to the EU’s intention to deter companies from misusing data.

The GDPR allows for personal data processing where the owner of the data consents and you have legitimate reasons to collect the data or when the processing is necessary for tax, legal, or other reasons.

Personal Data as defined by the GDPR includes any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Some GDPR Personal Data Rights and how they could affect your business:

1. Opt In/Opt Out: The GDPR requires that companies obtain and keep records affirmative opt in to collect personal data. Traditionally, companies have relied on their online Terms of Use and Privacy Policies to dictate the collection of data and have notified users that their continued use of the services constitutes acceptance of the data collection. This is not sufficient under the GDPR. Companies will have to receive and keep a record of each opt in. Furthermore, users must also be able to opt out of the collection and opting out cannot be more difficult a process than opting in. You will need to keep records of each opt in and opt out action taken by all users and be able to provide them if requested.
2. Right to Access: Consumers have a right to know what data is being collected and for what purpose. You need to be able to provide this information for free to anyone who asks for it.
3. Portability: Not only do consumers have a right to know what data you’ve collected and what you’ve done with it, they also have a right to obtain a copy of all data you’ve collected to use for any other reason. Your company needs to be able to provide them with a copy in a readable format at no charge and within one month of the request.
4. Erasure: Consumers have a right to be forgotten completely. Your company should have a process by which, upon request, you can access all data collected regarding an individual and erase it completely from your systems and files. There are some exceptions to this where you need to keep certain data for specific reasons such as for taxes or legal reasons. Even then, you must delete all non-necessary data.

The GDPR also places restrictions on and regulations regarding the transfer of Personal Data outside of the European Union. Data breaches must be reported to authorities within 72 hours and companies must have a process in place to notify potentially affected individuals.

This is not an exhaustive list of all requirements imposed by the GDPR. It is imperative that companies have processes, procedures, technological capabilities and training in place so that they can comply.

GDPR Compliance: 5 Steps You Need to Take

1. Evaluate what data are you collecting and why.
2. Understand why you need to collect/process the data you collect.
   1. Do you really need to do it?
   2. What happens to the data after it is collected?
3. Review your consent process.
   1. Individuals should provide affirmative consent and your privacy policies must be written in clear language.
   2. Revocation of consent must be as easy as giving it.
   3. You must retain consent receipts (show both you and your client that they gave and or revoked consent).
4. Compare existing procedures to GDPR requirements and make edits.
   1. What do you already have in place and what do you need to expand or change?
5. Implement all policies before May 25, 2018.
   1. Documentation
   2. Audit
   3. Training
   4. If you aren’t there yet, you need to be able to explain why you are not compliant.

The GDPR is a complex law with significant impact on the business community. Time will tell us the full extent and impact on business but we recommend taking steps now to move toward compliance. Contact Revision Legal for more information or for further guidance and resources.