Site icon Bloom

Are you GDPR-ready?

construction cone on laptop keyboard

construction cone on laptop keyboard

You’ve probably seen a flurry of privacy policy updates, email permission requests and announcement about compliance with Europe’s General Data Protection Regulation, or GDPR for short. If you run an online business and are still wondering what all the fuss is about, it’s high time to educate yourself — or pay the price.

Even if you’re not based in Europe, if you gather personally identifying information from leads, customers or subscribers who live in Europe, you need to comply. It may be as simple as complying with your country’s data protection laws (if they measure up to EU standards). Or it may require you to review your data security practices and implement some new practices and technologies.

What is GDPR?

Europe’s GDPR is a data protection and privacy regulation created to harmonize data protection laws across Europe. It gives EU citizens and residents control over how their personal data is collected, used and shared.

GDPR came into force on May 25, 2016. Since this date, organizations collect data from EU residents are required to update their privacy policies and change the way they collect, store and share personally identifiable information.

GDPR applies to all organizations that do business in the EU. It requires organizations to:

Why was there a push for GDPR by regulators?

The EU’s data protection laws have consistently been among the best in the world. As technology and the way we use it has changed rapidly (and will continue to change in ways we can’t imagine) EU regulators realized it was time to upgrade the previous regulation — 1995’s Data Protection Directive — to encompass current and future technologies and practices. The EU adopted GDPR in 2016 and made it applicable to all organizations that do business with EU residents on May 25, 2018.

What does it mean to obtain explicit consent to collect and store data?

Regardless of where your business is located, organizations are required to honour data protection regulations that apply in the countries where your customers or subscribers live.

For example, if your company is based in the United States and you gather even the smallest amount of data from EU residents, GDPR requires you to follow specific rules for obtaining consent to collect, store and share their data.

Key to this process is ensuring you have explicit consent — the data holder must carry out an action out an action that indicates specific, informed and unambiguous agreement to have their personal data processed. If you haven’t obtained consent, you will need to ask for it retroactively. And you must be able to demonstrate that an individual has given their consent, if asked.

How do you obtain explicit consent from customers or subscribers?

What happens if you don’t comply with GDPR?

Non-compliance can result in some hefty fines. Companies that don’t respect some articles of GDPR can be fined as much as 20 million Euros, or four percent of the previous year’s global revenue (whichever is higher). Other infringements can cost up to 10 million Euros, or two percent of global revenue. You get the picture.

But the other risk of not complying involves the security of your data. GDPR was created to protect consumers, but it also exists to ensure that data remains secure from increasingly sophisticated breaches. Being hacked and having your data stolen and exposed is a considerably more expensive situation — both in terms of the risk to your customers and business and the damage to your brand.

Getting started: follow a GDPR compliance checklist

Depending on where you’re at today with your data protection policies, getting started with GDPR compliance can be a daunting task. Begin by reviewing your country’s data protection laws, and how they sync with GDPR. Then audit your current technology and business practices. It helps to follow a GDPR compliance checklist such as The GDPR Compliance Checklist. From here, you’ll be able to see where you are at today, and where you need to go before assigning tasks to the right people in your organization.

Exit mobile version