GDPR Explained. It Will Change Business – Here’s How

Nick Coppolo
May 22, 2018

What is GDPR? When will it come into effect?

  • The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018.

 

Who needs to be concerned about it?

  • Any EU site or application that “processes” information on users regardless of citizenship.
  • Any non-EU site or application that “processes” or monitors information on users with EU citizenship.

 

How can businesses prepare?

  • Read the law or hire a consultant.

 

What are the risks of non-compliance?

  • Fines (up to 4% annual global revenue).

 

What does this mean for the industry in whole and how will it change business?

  • The law doesn’t challenge the legality of storing and using data, rather it dictates guidelines for transparency and consent. On one hand, customers may balk once they discover the breadth of what companies want to do with their personal information. On the other hand, requiring explicit consent and transparency may reduce actions taken by customers and protect companies following a breach or similar issue.
  • The law does dictate that customers must be able to revoke access, request a hard delete of their data, and may request documentation on how and what data is being “processed.” Additionally, it dictates the terms, timeframe, and communication requirement for companies to fulfill these requests.
  • Lastly, the law dictates terms and time limits for companies to publicly disclose breaches.

 

Checklist for GDPR compliance.

  • Ensure all consent is explicit.
  • Maintain an inventory of the data you capture and what you do with it.
  • Ensure that the customer knows that usage of an application or site is contingent on consent, when applicable.
  • Redesign your consent forms, privacy policy, and terms of use to accommodate, disclose, and allow for consent for each data type and usage.
  • Implement persistently available disclosure pages that describe all data points and their usage including selling or passing data to third parties.
  • Implement controls for users to opt-out or revoke data usage globally and per data point.
  • Design mechanisms to retrieve, provide, and delete data at the request of the user.
  • Put processes in place for rapid response and communication of breaches.