GDPR [wod]

Word of the day [wod] is GDPR.

The European Union General Data Protection Regulation applies to you as a service provider or vendor, even if you are not an EU citizen, or even within EU borders, as long as you offer services to anyone within the EU – including people who are not citizens of the EU.

Why should you care?  The maximum fine for non-compliance is up to 4% of your company’s global revenue, or  20 million Euros.  There is one year left to prepare your data systems, your contractors, your databases, and all of your systems, since the regulation goes into effect in May of 2018.

Sounds like a long time?  Not if you have to make any fundamental changes to your systems, the way you handle your customer “opt in” choices, and how you handle their data if and when they arbitrarily revoke their permission for you to use that data, which individuals have a right to do at any time.  How ready do you feel?

Even Brexit will not reduce obligations of British companies to comply with GDPR, if any customers are within EU borders.

“only 47 percent of UK businesses were aware of the new requirements”

Among the high points:

  • They will have an obligation to erase data when customers ask to exercise their ‘right to be forgotten’ and withdraw their consent to storing or using their personal data.
  • They will have to get explicit consent to collect any personal data.
  • Customers must give their data freely, not because they are threatened with not being able to access services, for example. Any request for data must be made in clear and plain language and asked for separately from any other terms, conditions or information.
  • Retailers must allow customers to see their own data and be able to give them a copy of any personal data in a commonly readable format so they can exercise their right to data portability – ie transfer personal data from one product or service provider to another.
  • UK retailers will have to notify the Information Commissioner’s Office (ICO) within 72 hours about serious data breaches and any customers who might have had their rights affected. Failure to comply risks a fine of up to 4 percent of global turnover.

This is a very hopeful sign for individual privacy rights, since it might actually be easier for global companies to comply globally (including compliance to GDPR) for everyone rather than build separate systems for EU vs non-EU customers.   If you have a non-EU customer travel to EU, what should you do?    Hint:  comply.

Perhaps if more companies followed EU’s example and were in compliance with GDPR in a year, that would be great.    Keep yourself informed about the progress of this regulation.