The General Data Protection Regulation (GDPR) is a European Union (EU) law taking effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are
A presence in an EU country.
No presence in the EU, but it processes personal data of European residents.
Legal Disclaimer / Disclosure
We are not lawyers. Nothing on this website should be considered legal advice. When in doubt, it’s best to consult an attorney to determine if you are in compliance with all applicable laws for your jurisdiction
The “Cliff Notes”
GDPR makes sure that businesses can’t go around spamming people by sending emails / newsletters that they didnt ask for. We can’t sell people’s data without their explicit consent. We have to delete a users account and unsubscribe them from our email lists if the user asks. We also now have to report data breaches.
Explicit ConsentCookies For those who visit your website, your website browser is collecting some basic information on those visitors. The type of information may vary, it might be Google Analytics processing where the visitors are coming from as well as following them as they click through your website, or it may simply be remembering which pages they visited last time
Newsletters / Email Blasts
if youre collecting personal data from an EU resident, then you must obtain explicit consent thats specific and unambiguous.In other words, you cant just send unsolicited emails to people who gave you their business card or filled out your website contact form because they DID NOT opt-in for your marketing newsletter.
For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese). You will now see an ‘opt-in” option on many forms.
Rights to Data
You must inform individuals where, why, and how their data is processed / stored. An individual has the right to download their personal data and an individual also has the right to be forgotten meaning they can ask that their data to be deleted.
When you hit Unsubscribe or ask companies to delete your profile, it now has to actually happen.
Organizations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. If a breach is high-risk, then the company MUST also inform individuals who are impacted right away.
Data Protection Officers
if you are a public company or process large amounts of personal information, then you must appoint a data protection officer. This is not required for small businesses. Consult an attorney if you’re in doubt.