The answer is yes. If you send emails to marketing or subscriber lists and keep data on your website or social media visitors, you should be ready to update your privacy and data collection practices to meet the new requirements for General Data Protection Regulation. Effective May 25, 2018, you are required to follow GDPR regulations regardless of where you do business if you:
- Collect personal data (PII); or
- Monitor the behavior of someone who is physically in the European Union (EU).
For companies not located in the EU, GDPR compliance requirements are based on the person’s location when they interact with your business. For example, if an EU citizen is not physically in the EU when they interact with your website, GDPR does NOT apply. But conversely if a U.S. citizen IS in the EU when they interact with your website, GDPR MAY apply as the regulations state they apply to people that are “in” the EU. As you can see, it is risky at best for a company to ignore GDPR as there is always the chance that your customers will be physically located in the EU when they interact with your content and currently the regulations are written to apply to anyone interacting while “in” the EU.
Here are a few points to consider when evaluating your GDPR compliance:
- What data are you collecting? The definition of personal data (PII) has broadened under GDPR and now includes information like location data including computer IP addresses, social posts, ID numbers, and even physical, mental, and genetic attributes.
- Did you obtain the proper permission to collect the data? Consent requirements under GDPR require that you provide clear and understandable language to describe the use of the data and receive “informed consent” in the form of an “opt-in” which requires an action for consent. The use of pre-checked consent boxes or inactivity will not qualify as consent.
- Do you have a method to erase the data upon request? GDPR has many regulations regarding when data must be deleted, including when the reason the data was collected is no longer relevant, or if the individual requests that it be removed. Deletion means removing the data from all sources that resulted from your collection, including individual computers and other vendors you may have shared the data with. To comply with removal requirements, you must purge the data completely, not simply deactivate it. Though there are exceptions, in general individuals have the “right to be forgotten.”
- Can you provide the data you have gathered to the individual upon request? Individuals have the right to request and receive the data you have collected at no charge to them.
- Is your privacy information compliant? GDPR expands the current privacy information requirements to include how long you will keep the data, purpose of the data collection, and the rights of the individual as it relates to the data. Privacy requirements vary depending on whether the individual is giving you the data directly, or if you are receiving it through other means such as cookies.
This is intended to be a starting point and doesn’t cover the multitude of requirements and exceptions of the full regulation. Because it’ll take some time to implement the updates, start now to make the May 2018 deadline.