On 25 May 2018, a new law comes into force, replacing the current and outdated Data Protection Act. This new law introduces tougher fines for non-compliance and gives individuals more influence over what businesses can do with their personal information.
What is the GDPR law?
The GDPR means General Data Protection Regulation, it is a new regulation is a new European legislation governing the use and processing of personal data of individuals, it can be read in full on the CNIL website.
It has 3 objectives:
Harmonize European regulations on the protection of private data of individuals between European countries.
Give citizens control over how their personal data is used.
Ensure that companies are aware of their responsibilities for personal data.
Who is concerned?
If you have a company operating in the EU or if you sell to customers in the EU, this new legislation applies to you, especially if you have a website or applications retrieving information about their users. This regulation applies to companies established outside the European Union that target EU residents through profiling or offer goods and services to European residents.
The GDPR has also eliminated distinctions between different types of businesses – including B2B, B2C, for-profit and non-profit – which means that the law also applies to all organizations that handle the personal data of European citizens.
In which case to apply it?
Although these regulations are theoretical and in fact the legislation is generally inapplicable within the time limit imposed for the vast majority of existing websites, it should be taken into account for any new website development collecting user data.
All stakeholders should be in compliance with the GDPR by May 25, 2018. Although this date may seem too close and unrealistic, you should still familiarize yourself with this new legislation and prepare to apply it to your existing websites and applications as planned.
What is the amount of the fine?
Companies that do not comply with the GDPR could be fined 2-4% of their annual income, or up to $ 20 million, whichever is greater.
Here are eight things you need to know:
- “Personal data” now covers a much wider range of information, including photos, bank details, social media names, medical information, email addresses, and birth dates. The legislation only applies to the information of individuals, not companies.
- You must keep records of all data processed by your company, as well as the purpose of the processing, and they should only be kept for legitimate purposes before being destroyed. The processing of personal data is authorized when:
– the consent is given by the individual to process his data (which must be recorded)
– a contract requires data processing (in the case of employees, for example),
– there is a legal obligation, a vital interest or public interest, or a legitimate interest – such as personal information collected for marketing purposes.
- When collecting personal data for a list of marketing email addresses, it was acceptable to have a pre-checked box in which individuals had to remove the check mark in order to unsubscribe. This is no longer acceptable, this box can no longer be precoched and there must be a process of “double opt-in”. This means that individuals will need to check a box to participate in marketing communications and will need to receive a confirmation email that will allow them to unsubscribe.
- If you determine the purpose for which personal data is collected and how it will be processed, you are referred to as the “Data Controller”. A Data Processor is another person or organization, other than an employee of the Data Controller, who processes the data on their behalf. An example of this might be if you outsource your payroll or human resources functions. You must ensure that you have an appropriate and sufficient contract with all data processors that you use, to ensure that the personal data you provide is protected against unauthorized access, loss, or destruction.
- The persons whose personal data you have collected have the “right to be forgotten”. If they request that their data be completely erased, you must comply with this request and notify all other organizations that hold the data, such as a data processor, to delete them as well. There may be certain exemptions where there is a legitimate interest in keeping certain records, such as employee information, which is usually kept for at least 40 years.
- The persons for whom you have personal data may request access to the information you hold about them. You are no longer able to charge an administration fee to comply with their application, and you have only 40 days to complete the application and disclose the information. Requests for information are very generic and you must provide all information relating to the individual. If the person is looking for specific information, you can reduce the time and expense required to comply with this request by asking if there is specific information that they need and providing this information.
- If you experience a data breach, such as if a security breach would have allowed a hacker to recover one of your databases, you must notify the Office of the Information Commissioner within 72 hours. Anyone affected or potentially affected by this data theft must also be notified.
- Failure to comply with these new rules could result in a significant penalty. If a violation is not reported within 72 hours, you may be fined 2% of your total turnover, whichever is higher.
How to prepare
- Use double opt-in confirmation for newsletters
We recommend using dual membership forms to gather new subscribers to your newsletter and to make it clear to users how their personal data will be used.
The GDPR also requires an easy way for your contacts to unsubscribe: all sent newsletters must contain an unsubscribe link.
- Learn how to correct and delete information from your contacts
The right to access, modify and delete data is one of the key points of the GDPR
- Update your subscription forms
We recommend that you review and update the wording of your newsletter subscription forms so that they are as explicit as possible about how the requested information will be used. Include an affirmative language that clearly indicates that the user agrees with the stated terms.
- Delete contacts and lists you no longer need
One of the main objectives of the GDPR is to minimize the risk of leakage or data leakage and to prevent the misuse of the personal data of European residents.
That’s why it’s best to delete all your inactive contacts or those who have already unsubscribed to your communications. If you do not use this information, it is best to ignore it.
For more information on the new GDPR legislation, please consult these links.