GDPR is expected to come into effect on May 25th, and this is inevitable. General Data Protection Regulation (GDPR) is a new privacy law/regulation adopted by the EU and applies to all EU countries and the businesses operating here. This regulation is meant to unify all the other privacy laws that each of the EU countries had and give EU citizens good control of their personal data.
The impact of this new regulation on marketers, business owners, and data controllers is substantial and if your business isn’t prepared you will need to make sure it is now to avoid hefty fines especially if you are a company employing digital agencies for your services.
Contrary to what most people might think, General Data Protection Regulation is not here to punish businesses. It’s here to protect personal information and broaden the rights to this information. To stay in business, all European companies have to be GDPR compliant before it comes into effect.
What does General Data Protection Regulation mean for your business?
There are many requirements your business must meet and here are some of the most significant changes:
Personal data definition is now broader. Besides the name, contacts, medical and financial information, it also includes IP addresses, and this is tricky especially for business owners.
User content gets strict. The business must have a legal reason to obtain, process and store personal information. For every data processing move you plan, you must receive separate consent for them
Documentation is necessary. Your business will have to keep detailed records of the time permission to use data was obtained, its wording, safety procedures put in place to protect this data and reports on all processing done on this data.
Data subject’s rights are now broader. The company must ensure the functionality to delete user data or transfer it to other services when requested. Data users may also require detailed information on the way their personal data is used or request corrections on the same.
Policies must be put in place regarding the processing and storing of user data. The company must keep on auditing to ensure compliance and ensure data processing protocol is observed.
In case of a data breach, it must be reported within 72 hours. It is, however, the duty of the business to ensure personal data is not compromised and have policies in place to protect from data breaches. Data security will have to be monitored, and even the minor violations must be reported either to the server or the national data regulator.
The new requirements might seem like a lot of work, and few companies have implemented the changes despite the two-year preparation period given by the EU. There will be no grace period so companies must meet the GDPR requirements in time or face the risk of fines. According to the General Data Protection Regulation, companies will pay 10 to 20 million euros or 2 to 4 percent of their global annual turnover, whichever is higher.