In the last few months, you have likely noticed multiple emails and messages from various corporations and companies alerting you to their new data privacy policies. The sudden influx of emails may seem alarming, but they are being sent in large part in response to the new General Data Protection Regulations that was recently issued by the European Union.
The GDPR have far reaching consequences and impact most businesses that have an online presence, including businesses based in the United States. With the increasing focus on data privacy and consumer protections, no one wants to get on the wrong side of these types of regulations. This is why it makes sense for all business owners to consider whether they are affected by the GDPR and, if so, what they need to do.
Understanding the GDPR in Gig Harbor
The GDPR took effect in May 2018. Although the regulations come out of the European Union, they apply to any online platform that can be accessed or interacted with by European citizens where data is collected for certain purposes. This means even if you don’t have an EU web address, if your website might be used by international customers or readers, the GDPR might apply.
Because the GDPR is concerned with data collection, it is aimed at websites that collect user data – either through online forms or through cookies or other forms of online tracking. If your website does not currently utilize these types of technologies, the GDPR is less of a concern for you.
The GDPR aim is to give Europeans greater control over their individual data. Under the regulations, any website or app accessed by Europeans must give them the option to control how their data is used and must provide updated terms of service. The updated terms of service is the reason for the many emails that you have been receiving.
The goal of the GDPR is to give individuals better control over the information that they share and how that information is shared with third parties. Increasingly, our personal, professional, and financial data is collected by the websites and online providers that we use. And that information is shared with others without our knowledge or control. The GDPR hopes to create more transparency and control in that process.
What Exactly Does the GDPR Require?
Determining how to comply with the GDPR is an ongoing process. Because the regulations are incredibly complex, lawyers, marketing firms, and businesses around the world are grappling with how to properly respond.
While you’ll want to consult with an attorney to determine exactly how your business may need to become GDPR compliant, the basic requirements to understand are: (1) the GDPR requires that websites and apps collect data only for legitimate purposes; (2) the GDPR requires consent for the collection of that data, and (3) the GDPR requires that users have the opportunity to opt out of collection or to destroy data that has been collected.
This means that if your website or app currently collects data from its users, it will now need to let them know that this data is being collected and ask for their consent to do so before proceeding further. Moreover, the GDPR will require websites to keep closer tabs on how long the data they acquire is kept, and to keep it only as long as reasonable for the purposes it is intended for.
Finally, the GDPR requires businesses to provide customers, visitors, and users to have their personal data deleted if they so request. This is known as the option to “be forgotten,” and means that even if an individual initially consented to the use of their data, they have the right to revoke that consent at any time.
When it comes to defining what is “personal data” covered by the regulations, the European Union takes a broad view. The types of data protected by the GDPR include personal data such as social security numbers, addresses, and names, as well as health data, political opinions, and sexual orientation.
The Failure to Comply
One of the most significant aspects of the GDPR is the very significant penalties that it imposes for companies that do not implement the protections mentioned above. Under the GDPR, companies can be fined up to four million dollars or four percent of global annual turnover if they fail to comply with the regulation requirements.
Given the significant changes required by the GDPR, it is anticipated that a significant number of companies will remain out of compliance as they work to beef up their data protections and determine how to delete user data. At this juncture, it is anticipated that showing good faith efforts to comply with the regulations will be spared any harsh penalties.
Acting in good faith requires more than simply changing your terms and conditions. It requires businesses to take a good look at their data accumulation, processing, and protection practices and determine whether those practices give individuals the control and protection that the GDPR requires.
Washington Attorneys Helping You Evaluate GDPR Compliance
If you work with, or own, a business that you know is subject to the new GDPR requirements or if you have a company with an online presence but you’re unsure whether the regulations apply, you should speak with a transactional attorney familiar with the GDPR as soon as possible.
Because GDPR has already gone into effect, companies just starting to evaluate their compliance now are playing a game of catch-up. Avoiding fines and punishment for non-compliance will require a concerted effort to evaluate and strengthen your existing policies and a commitment toward seeking the help you need.
At Blado Kiger Bolan P.S., our business attorneys can help explain GDPR to you and work with you to determine whether the regulations are something that you need to be concerned about. If so, we can assist you in implementing any necessary changes. For more information or to schedule an initial consultation, contact us online or at (253) 272-2997.