A Quick Guide to GDPR Requirements and Which Businesses It Affects

OMG! Has your email been blowing up about GDPR like mine has? Well, the GDPR regulations deadline just hit TODAY (May 25, 2018). Anything named the General Data Protection Regulation (GDPR) doesn’t sound like a great deal of fun to read. And being out of compliance holds some strict penalties. Read on to find a quick and easy explanation why.

What is GDPR? An Overview

The GDPR is considered one of the strictest set of laws in the world regulating the collection and use of consumer data. Under GDPR, companies will need to:

  • Get clear consent for collecting people’s personal data.
  • Allow access to the data that is stored about them.
  • Fix that data if it’s wrong.
  • Delete their data if the individual requests it.

The fundamental principle of the regulation is the right to privacy and protection of EU citizens by giving them right to anonymity in the data that they share with businesses and enterprises. To ensure this, GDPR put the responsibility on businesses to obtain consumer consent, which must be “freely given, specific, informed, and unambiguous.”

The General Data Protection Regulation replaces the now very outdated 1995 Data Protection Directive, which was created back when the internet was just getting started. GDPR was adopted in 2016, however, it allowed two years to fully implement its provisions. The deadline for this is today.

Why do I care? The Consequences

First of all… fines. Do I have your attention? Could anyone from Europe possibly visit your website? Even businesses not based in the European Union (EU) may still be required to be in compliance with GDPR if it collects data on the people in the EU’s 28 member states. Fines can go up to 4% of annual growth, in the worst cases, and have a cap of 20 million euros (or 23.3 million USD).

But don’t panic. This isn’t the end of the world.

While GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.

What’s Next? The Wrap

Granted, GDPR is pretty darn complicated. In a New York Times opinion article, Alison Cool (https://www.nytimes.com/2018/05/15/opinion/gdpr-europe-data-protection.html), a professor of anthropology and information science at UC Boulder wrote that:

“In 2017, the year after the regulation was approved, I interviewed scientists, data managers, legal scholars, lawyers, ethicists and activists in Sweden. I learned that many scientists and data managers who will be subject to the law find it incomprehensible. They doubted that absolute compliance was even possible.”

To sum up, GDPR is probably more of a journey, not a destination. However, it’s not a journey that you ignore. If your company or business works with EU citizens or collects data concerning them (ie. if EU visitors come to your site and fill out a form, or you have cookies on your website), you have some steps to take. For more information on practical steps, we’ll have another article on Tuesday with some more information that we’re finding.

We’ve also started to hear that there are phishing scams happening already. A GDPR focused scam is going around that asks you to hand over passwords and credit card details. For more info click on ZDNET.com’s GDPR phishing article (https://www.zdnet.com/article/phishing-alert-gdpr-themed-scam-wants-you-to-hand-over-passwords-credit-card-details/).

Want more information about the steps UZU is taking proactive steps to protect our clients from GDPR non-compliance risks? Stay tuned for our next piece in a few days as we go into further detail about GDPR compliance steps.