What is GDPR?
Diving into the legalese of GDPR isn’t what we call enjoyable reading, so let’s break it down a bit. GDPR stands for General Data Protection Regulation. It was created in the European Union and rolled out on May 25th of 2018 (happy belated birthday GDPR!) to protect the data of EU citizens, but it has a global impact despite being an EU law.
GDPR gives individuals more control over their own personal data online. This is extremely important because personal data is a trillion-dollar industry! That’s with a T trillion! With control of your data put back in your own hands, GDPR takes that power away from big companies like Facebook and Google (in theory), who deal heavily in the massively profitable personal data market.
What is personal data?
Person data covers a lot of information. Contact information, device details (IP addresses, location data), bank account, ID numbers, social media posts, geotagging, personal health information, race, and even your opinions, videos, and photos posted to social media are considered personal data.
These elements put together paint a picture of you online. So it’s a pretty big deal to take the power away from those who profit off of selling personal data.
What happens if GDPR is violated?
Fines. To be exact, up to €20 million ($23 million) or 4% of annual global turnover. Yikes, right? Well, it’s proven to not be that big of a deal to the really big players, like Google, who was served a $57 million fine, which they probably found in their couch cushions. If nothing else, it’s bad publicity to get slapped with a GDPR fine, and hopefully will persuade companies to be more careful with user data and more serious about data security going forward. For smaller companies, a GDPR fine could be potentially financially devastating. So let’s talk about how to avoid such devastation!
What is GDPR compliance & why is it important?
Business owners that potentially have EU users, even just as subscribers to a blog or newsletter, need to be compliant with GDPR.
In broad terms, compliance will include the following aspects:
- Collect data legally and use it ethically
- Collect as little information as possible
- Use trusted applications to protect any collected data
- Only store data as necessary
If you run a website that doesn’t collect any subscriber information or sell anything, you’re generally safe to be GDPR worry-free.
While this is not meant to be legal advice in any way, here’s what you need to become GDPR compliant:
- Data Protection Impact Assessments (DPIAs)
- Check out the ICO’s comprehensive guide to DPIAs.
- Data Breach Notifications
- You have 72 hours to report a breach and must inform users ASAP.
- Privacy Policies
The Future of Privacy Laws
We mentioned in our last blog that GDPR-like laws are popping up all over the place. The most mature of these laws come out of California and is called the California Consumer Privacy Act (CCPA), which has been dubbed California’s “GDPR lite”. It’s a new law that rolled out January 1, 2020, based on the EU’s law. (We’re currently in the grace period before the law is enforced, which ends July 1, 2020.) Let’s talk a bit about what to expect.
Basically, CCPA defines who needs to comply a bit more specifically than GDPR, which is more broad in its compliance definition. CCPA also doesn’t give the consumer/user quite as many rights as GDPR. CCPA is weaker for the consumer/user in that it doesn’t force the company to get permission before selling personal data. It only has the company give you the option to withdraw your consent after the fact.
The CCPA is not quite as broad as GDPR. This infographic lays out the differences between the two laws, and this checklist is extremely handy in sorting out anything you can think of when it comes to your questions about compliance with CCPA.
Becoming GDPR compliant is a good starting point for your compliance with US-based privacy laws because if you’re at a minimum GDPR compliant, you’ll very likely already be able to fulfill the requirements of CCPA. And just a reminder that this is in no way intended to be legal advice — chat with your legal advisors on that front if you have any questions.
Here are the basics of who needs to comply with this law:
Any organization that meets one of the following three criteria annually:
- Earn revenues greater than $25 million.
- Buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices for commercial purposes.
- Derive 50 percent of annual revenues from selling consumers’ personal information.
If you fulfill just one of the above criteria, you need to comply with the CCPA. Do head to this website for their checklist tool, and also go to the CCPA’s official site to get more guidance on what you need to do.
Please do have a chat with your legal counsel if you have any specific concerns about your organization in regards to complying with any of the above laws.