GDPR: What It Means For Your Business

Security is key ?

When was the last time you ordered a product online? Or sent an email to a colleague with information about a company project with private data? These actions all require a level of trust with the website you use. Composed of 11 chapters and 91 articles, GDPR compliance was put in place to give users control over their personal information and provide a sense of security as they interact with websites.

What is GDPR?

GDPR stands for General Data Protection Regulation and ensures the security of users’ personal and private information as it is collected, processed, stored, and destroyed. Established in April 2016 by the European Council and Parliament, this regulation means that any site collecting information from users is now required to be more transparent and give its users more control over how their data is handled. 

GDPR applies to any personal information that could be used to identify a person. This protects a variety of information such as… 

• Basic identity information such as name, address, and ID numbers
• Web data such as location, IP address, cookie data, and RFID tags
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation

GDPR applies to any company that processes information about EU citizens, even if the organization is not based out of Europe. The specific regulations apply to companies that… 

• Have a presence in an EU country
• Process personal data of European residents
• Have more than 250 employees
• Have fewer than 250 employees but “its data-processing impacts the rights and freedoms of data subjects is not occasional, or includes certain types of sensitive personal data” 

What does GDPR mean?

Similar to ADA compliance, the requirements for GDPR compliance are not black and white. Companies must “provide a reasonable level of protection for personal data.” Following GDPR is not a simple job that can be passed to the IT team and forgotten. In addition to their own products, companies are responsible for ensuring that the third parties they use are compliant with GDPR.

Although there are no exact guidelines, a few key components of the regulation require organizations to: 

• Alert users if a data breach occurs (within 72 hours)
• Be cautious while transferring personal data
• Keep collected data anonymous
• Assess and review their site consistently to discover potential risks

GDPR gives users the right to a variety of actions such as stopping their data from being collected, allowing them to transfer it to a different provider, accessing their data upon request, and much more. The users are now in the driver’s seat, with the ability and knowledge to make these decisions for themselves.

An important factor of GDPR is not just what happens to data but how an organization responds. Companies need to be proactive and understand their current safety measures and what steps are needed in case of a breach. 

• Do you have steps in place if something goes wrong? 
• Do you have a team set up with clear roles and responsibilities? 
• How will you communicate to the affected parties? 

Everyone on your team should be confident with your organization’s GDPR process and the current regulations that are in place. You must know what data you have in order to know how to protect it. Keep a thorough and organized record of this information so your team knows how to stay compliant and has easy access to the data in case of an audit. You should have a process in place for deleting personal data that a user may want erased. We also recommend running an audit of your site or using a GDPR checklist to see ensure your site is currently compliant.

Final Thoughts

Not complying with GDPR costs you the trust of users and could mean large penalties and fines. With all of the personal information circulating the web, security is more important than ever. Don’t get stuck playing catch up, but take control of the information you have and give your users peace of mind.