In May, the EU Parliament rolled out the General Data Protection Regulation (GDPR), a new data policy that protects the personal information of EU internet users by tightening the guidelines associated with data collection and retention by websites. While the GDPR only affects citizens and residents of the EU, there’s a catch that American’s and other non-EU citizens need to be aware of.
Businesses outside of the EU that have a high concentration of website visitors from the EU, or that directly sells products to EU users, must ensure their website is compliant with the new policies set forth by the GDPR. In this blog, we’ll take you through the major changes to be aware of. Businesses that deal with users in the EU but don’t abide by the GDPR can face heavy penalties if found incompliant; maximum fines can be as high as 20 million euros, or 4% of global turnover, whichever is higher1.
Making sure that your business’s website is in compliance with the GDPR is tantamount to dodging massive fines that could potentially cripple your entire operation. Read on to learn about the major changes and what you need to do to ensure your website is compliant.
What Are The Main Changes?
Aside from the major penalties, the biggest change to EU regulations on data collection is the geographical scope of the regulations as it applies to the EU. The previous regulations were a bit ambiguous2 when it came to who the regulations actually affected. Now, the GDPR has drawn clear lines as to the geographical implications of the regulations; any citizen of the EU is covered under the GDPR, meaning that businesses outside of the Union are still required to abide by GDPR guidelines when collecting personal data that pertains to EU citizens.
Additionally, the GDPR requires businesses to report any data breaches to their sites by setting forth clear steps about informing users of a breach within a specific timeframe. The Right to Access is a section of the GDPR that allows a site’s users to request documentation as to the information that the site has on file, how it’s collected and how it’s being used by the business. The Right to Erasure is also included as part of the new regulation, which essentially allows users to demand that their data be erased and collection be ceased if they no longer wish to comply with a sites terms, or if the data is being misused after its collected.
How Do I Make Sure My Website Is GDPR Compliant?
The first question to ask yourself is, does it need to be? Does your site have a large concentration of EU users, or does your business periodically do business with EU customers? If either scenario is true, then it’s definitely in your business’s best interest to be GDPR compliant; remember those massive fees? If your site doesn’t have a major concentration of EU users, or doesn’t sell products to the EU, you don’t necessarily need to be GDPR compliant; but you’ve gotten this far, so why not cover all your bases?
Aside from that, it’s all proactive on the side of the business; data breaches must be reported and user requests about data collection or action must be complied with in preset timeframes. Honestly, the best way to make sure that your site is doing what it needs to is to consult a reputable source to familiarize your site’s key staff with regulations and rules of the GDPR.