A Quick Guide to the GDPR
The European Union General Data Protection Regulation (or GDPR) is a new piece of legislation from the European Union that was adopted in April of 2016 comes into effect on the 25th of May.
At first glace, it can look really intimidating, it’s no small amount to take in and with fines of up to €20 million, or 4% of your company’s annual global turnover for non compliance, there’s plenty of good cause for to be in the know.
Disclaimer: This guide isn’t written by a lawyer and aims to give a simple, easy to understand overview rather than an in depth breakdown of the GDPR.
If you are looking to get into all the details, we highly suggest either going over the OAIC’s business guide or seeking advice from a lawyer.
The aim of this legislation is to protect the person data of EU citizens and give them more control over what happens to their footprint on the internet.
The big difference between the GDPR and other national privacy acts is that it applies not just to businesses physically based in the EU, but all business worldwide that service any individuals based there.
The GDPR applies to Australian business who meet one of 3 criteria:
- Your business is established in the EU.
This refers to having a direct physical presence somewhere in an EU member state.
- Your business offers goods or services to EU-Based individuals (free or otherwise)
Your business is considered as offering goods to EU based individuals if it allows users to use a European language, currency or directly mentions customers or users who are in the EU.
- You monitor EU-based individual’s behavior.
This applies to any kind of telemetry or analytics your business runs, like Google analytics or purchase history.
If your business does not service EU citizens, then these new rules will not apply to you, but if one or more of these criteria do apply to you, the GDPR will be in full effect as of the 25th of May so now would be time to work on becoming compliant.
The main responsibilities with GDRP compliance are:
- Obtaining explicit and clear permission from any EU based individual to obtain any personal data from them.
- Plainly stating which (if any) personal data is being held, and what it is being used for.
If your site has a contact form, it is required that you inform what personal data an individual submits (such as their email address) will be held.
- Delete any data that you no longer have any legitimate need of.
- Give a full copy of all held data to an individual upon their request.
If an EU citizen requests a copy of their purchase history or any other personal data that is held, it must be delivered within one month of their request.
- Completely delete all data held on a individual upon request.
There are some exemptions to this, namely things such as purchase history for obvious tax reasons or WordPress plugins like WordFence, which keeps track of banned IP addresses, that are part of the personal data GDRP will cover but an exemption from it is made in this instance since it is held for necessary security reasons. In any situations like this, the requester must be informed of the data being held and the reasons why within a month of their request.
- The company must maintain complete records of all data uses and interactions.
If your company employs less than 250 people it is exempt from this.
- Inform any individuals of a data breach within 72 hours of becoming aware of its occurrence.
Whist notifying after the deadline is permitted, there must be a clearly given and legitimate reason.
- If a business performs any regular or large scale data monitoring it must designate an official Data Protection Officer and assign a representative in the EU.
We hope this quick guide helps you on your to becoming GDPR compliant.
Even if you aren’t entirely sure whether your company will be considered as servicing EU citizens under the new rules, just to be safe its worth working on GDPR compliance anyway so consider giving your webmaster a call or get in contact with us and we can help you on your way.