We’ve all seen the news reports about companies collecting and sharing customers’ personal information without their knowledge or consent, not keeping sensitive information private, and not adequately protecting their systems from hackers. Now the European Union has done something about it, by enacting the GDPR (General Data Protection Regulation) in May 2018. But what does that mean to you?
If you have customers, employees, suppliers or other business associates who live in the EU, obviously you will need to change your business practices to comply with the GDPR. (The UK will have similar statutes after Brexit.) Even if you don’t, it’s a good idea to become familiar with its mandates — so you’ll be ready when the U.S. institutes its own regulations.
What the GDPR protects
Any type of personal data is covered by the GDPR. This includes names, contact info, credit card/bank account numbers, medical records and more. It requires businesses who collect this data to:
• Have a legal reason for doing so, and use it ONLY for that purpose. For example, a customer might give you his email address so that you can send info about your products.
• Make user terms and conditions (such as for your website) clear, easy to understand and easy to find.
• Respond within one month to individuals asking to know what information on them the business is holding; and not charge a fee for doing so.
• Erase all stored data about a customer upon their request, unless the data is needed for legal reasons such as tax filing.
• Provide a digital copy of personal data to individuals upon request; they can use it in any way they want, including moving their account to a different business.
• Report certain types of data breach to the relevant supervisory authority.
• When transferring data to a U.S.-based company for storage or processing, the company must be certified with Privacy Shield.
What steps you should take
A comprehensive review of your data collection, storage and usage will be needed to ensure GDPR compliance.
• Find out which of your products and services are collecting and processing personal data.
• Analyze whether they have a legal basis for doing so.
• Check that these systems are secure from hackers and unauthorized users.
• Develop response procedures for customers’ data requests, such as disclosure, erasure and portability.
• Update internal and external notices and contracts to be GDPR compliant.
• Assign responsibility for data protection to someone in your business.
• Provide data privacy training for all staff who work with the data.
As you can see, there are many aspects of data protection, but what they all boil down to is treating your customers’ privacy and rights as if they were your own. Maintaining a mutual respect and high ethical standards is not just the law, it’s good business.