What is GDPR? Why Should You Care?

GDPR stands for General Data Protection Regulation. The GDPR originated in Europe, by the European Commission. Its goal was to get businesses “…to prepare and become fit” for the era of technology.

But it does NOT only apply to companies that do business in Europe.

The GDPR was originally designed to be a new set of regulations to provide citizens of the EU with more control over their personal information.  However, again, the GDPR is not just applicable in Europe.  Even if your business is primarily based in the United States, if you do or even MAY do business with European citizens now or in the future OR if your website is accessible in Europe, it applies to you too.

What this means is that many of the best legal minds have decided the GDPR applies to anyone who does business on the web—even if that seems to be only in the USA. (See https://www.recode.net/2018/5/16/17360944/gdpr-us-business-eu-european-union-data-protection-privacy)

The GDPR standards address how a business collects and manages user data. Some of the specifics include:

  • Allowing web users to know what data is being collected
  • To opt-out of that data collection
  • To see the data collected
  • And to have any data that has been collected, completely deleted from any records.

There are a few other specific but that is the gist of it.

Yet, while the GDPR seems primarily focused on protecting the citizen, it does protect businesses too. These regulations set boundaries around personal data, privacy, and consent. In today’s world, data is the heart of our society—in social media companies, banks, retailers and even the government. Each of these services often collect, use and save personal data like your name, address, credit card number, and more. With all the data breaches we have seen over the last few years, this can be a scary thought.

What is GDPR compliance?

As these breaches have demonstrated, our information is not always safe with the company that collected it. Unfortunately, it can be lost, stolen or end up in the wrong hands with the wrong intentions. GDPR sets forth terms that clearly outline the standards that those organizations that store your information are obligated to uphold. The hope is that these rules and standards will help to protect your information from misuse and exploitation. Just as importantly, it also outlines that the data must be collected legally and under strict conditions. Failure to follow these regulations will result in penalties, including fines.

What are the GDPR fines and penalties for non-compliance?

An organization’s failure to comply with GDPR can result in as fine as much as 4% of the company’s annual global turnover, which could mean billions for larger organizations. The severity of the fine will depend on the severity of the breach and whether or not the company has taken the regulations around security in a serious manner. The greatest fine is for violations of the rights of the protected citizens, unauthorized transfer of personal data, and denying the subject access to their personal data. A lesser fine of 2% will be in place for failing to report a data breach or failing to appoint a data officer, which is required by GDPR.

What does GDPR mean for citizens?

As mentioned, an incredible amount of data has been subject to misuse and breach over the years. Meaning, an individual’s information could very likely be roaming free somewhere on the world WILD web. This info could be an email address or passwords and even social security numbers, credit card numbers and health records.

With GDPR in place, consumers have a right to know if and when their information has been hacked. Once they’re aware of the hack, it will be ensured by national bodies that appropriate measures are identified and taken to help ensure the data is not being abused.  It also allows citizens to have an easier access to their information and how it is being stored so that they can make INFORMED decisions about whether they want those with whom they do business, to have, store, or use that data at all and if so, for what purpose and for how long. There is also a right to be ‘forgotten’—so that once you opt out of your personal data being processed by an organization, they must delete if without retaining it in any way.

Organizations will also be heartened to adopt techniques such as pseudonymization, which is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers or pseudonym. This process allows organizations to benefit from collecting and analyzing personal data, all the while keeping the privacy of their consumers protected.  There are many credit cards that already do this and are ahead of the game a bit.

Where do you stand with GDPR? Are you compliant? If so, wonderful. If not, why not? Even if you don’t think it applies to you or your site, the fix is simple and really, a GOOD THING—whether the law is requiring it of you or not.