top of page
Search
Writer's pictureAlex Keeley

GDPR: Crash Course!

Updated: Dec 21, 2021

What is the “GDPR,” how will it affect your business, and what can you do in the next three days?

Have you been ignoring the upcoming GDPR because it seems like it doesn’t apply to you, or it seems too complicated? Read on to get some peace of mind around this new regulation, and avoid the possibility of extreme fines and/or having to defend regulatory investigations in the European Union.

What is the “GDPR”? The General Data Protection Regulation (“GDPR”) is a new regulation from the European Union (“EU”) that utilizes far-reaching effects to protect the privacy of EU citizens. The GDPR takes effect on May 25th, 2018 (yes, this Friday!).

But I’m not in Europe, how does this affect me? If you collect any personal data, the GDPR can be applied to you if you happen to collect that data from someone in/from the EU (“EU data subject”). Personal data includes the usual items (name, phone number, etc.), but also includes seemingly innocuous data like IP addresses and data stored in cookies. If an EU data subject uses your website, and you collect any of their data, the GDPR applies to you. If you are not compliant, the regulation gives the regulators the ability to levy large fines (the greater of 10M Euros or 2% of gross revenue for minor infractions!), but beyond that, a claim by an EU data subject can be extremely time consuming and costly.

What can I do now?

  1. Privacy Policy/Notices: When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice and more generally through your privacy policy. Under the GDPR there are some additional things you need to communicate. For example, you will need to explain your lawful basis for processing the data (consent?), your data retention periods and that individuals have a right to complain to the European regulators if they think there is a problem with the way you are handling their data.

ACTION: Review your current privacy policy and privacy notices and assess what changes you need to make for GDPR compliance.

  1. Consent: Under the GDPR, consent to use someone’s data must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity. It must also be separate from other terms and conditions, it must be verifiable, and you will need to have simple ways for people to withdraw consent. NOTE: if you collect personal data from children (under 16 per the GDPR), you will need to make sure you are getting consent from their parent or guardian.

ACTION: Make sure you are receiving consent from individuals before you use/process/store their data, and ensure that the consent meets the GDPR standards on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. (see: https://gdpr-info.eu/art-7-gdpr/) For example: If your website collects cookies, you should have a pop-up that allows users to consent to that before they can actually interact with the website. If you have an email list, you should consider sending out an email to everyone requesting they opt in to the email list again.

  1. Data Breaches: The GDPR requires all organizations to report certain types of data breach to the regulators, and in some cases, to affected individuals. You only have to notify regulators of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

ACTION: Put procedures in place to effectively detect, report and investigate a personal data breach, assess the types of personal data you hold, and document where you would be required to notify regulators or affected individuals if a breach occurred.

Conclusion: While taking the above actions does not guarantee your compliance with the GDPR, it will put you in a position to be able to deal with the direct risks to your business. There are many more details of the GDPR that you should eventually deal with, but these actions move your business toward compliance. One key aspect of EU regulations is that if you are trying to comply, you have a better chance of being able to work with the regulators if something goes wrong. If you do nothing, you become a prime target for the regulators to make an example of. Ultimately, to get full peace of mind regarding your compliance, you will want to consult with an expert in this field…

Recap of actions you can take:

  1. Review your current privacy policy and privacy notices and assess what changes you need to make for GDPR compliance.

  2. Make sure you are receiving consent from individuals before you use/process/store their data, and ensure that the consent meets the GDPR standards on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.

  3. Put procedures in place to effectively detect, report and investigate a personal data breach, assess the types of personal data you hold, and document where you would be required to notify regulators or affected individuals if a breach occurred. This Blog, and the information contained herein, are intended for informational use only. Nothing in this Blog should be construed as legal advice.




6 views0 comments

Comments


Post: Blog2_Post
bottom of page