Pagoda Blog


What is GDPR and is Your Business in Compliance?

May 16, 2018

GDPR (General Data Protection Regulation) is a new requirement going into effect May 25, 2018 that aims to protect the personal data and privacy of all people in the EU (both citizens and visitors). It applies to any company that collects data on citizens or people currently residing in the EU. This data includes basic information such as a first name and email address collected in a newsletter sign-up form as well as cookies and IP addresses.

 

While the recent Cambridge Analytica scandal has underscored the importance of regulating how our data is collected and used, the EU has a long history of strictly regulating how companies use their citizens data. The GDPR is a much-needed update to the Data Protection Directive adopted in 1995. Few people outside the EU paid much attention to the original directive but the steep fines associated with the GDPR has companies across the globe paying attention.   

 

Here’s a summary of what you need to know about the GDPR and how to make sure your business is in compliance.

 

When does the GDPR go into effect?

Your business has until May 25, 2018 to comply with the regulations laid out in the GDPR. Yes, this is right around the corner but before you start panicking, know that a recent survey conducted by Ipsos MORI on behalf of the UK government found that in the UK just “38 percent of businesses, and 44 percent of charities, say they have heard of the GDPR” and “among those aware of GDPR, just over a quarter of businesses and of charities made changes to their operations in response to GDPR’s introduction.” According to Gartner, more than 50% of companies will not be in full compliance with GDPR even by the end of 2018.  

 

So you’re not alone if you haven’t yet begun working on compliance but that doesn’t mean you shouldn’t get started.

 

What happens if my business is out of compliance?

If you violate the terms in the GDPR, your business could face fines of up to €20 million or 4 percent of your total annual revenue from the previous financial year, whichever is higher.

 

If my business is based outside of the EU, does the GDPR still apply?

The GDPR applies to all businesses who conduct transactions with anyone residing in (or visiting) EU member states. If you’re unsure whether or not individuals from the EU have purchased your products or services, it’s better to play it safe.

 

As a business with an online presence, people from around the world have access to your website and may provide you with personal information either through a contact form, newsletter sign-up or shopping cart. Even if you don’t collect any personal information through a form, you could still be out of compliance. For example, if you have ads on your site through a third-party advertiser that tracks cookies, and you don’t clearly notify your users, this violates the GDPR.

 

The main goal of the GDPR is transparency so your primary concern should be with updating your website to be as up-front as possible about the data you collect and how you plan to use it.  

 

As explained in a blog post by LogicGate,

 

“The purpose of the GDPR is to protect EU citizens from data breaches, increase consumer trust and safety, and create transparent accountability measures. Data must be provided in a clear, concise, transparent, and easily accessible language, especially if addressed to a child, and it must be provided at no cost. Everyone will have access to their own data under the GDPR and should receive confirmation if their data is being processed, and will also be legally allowed to take their data with them once their business has ended with the company.”

 

How do I comply with the GDPR?   

There are several basic changes every business owner should make to their website to be in compliance with the GDPR. We have put together a list of compliance actions to prioritize, but we recommend also taking the data protection assessment created by the UK Information Commissioner's Office (ICO) for small and medium-sized businesses.  

 

Here are the actions we recommend you take to be in compliance with the GDPR:

 

  1.  Get clear consent

In order to collect and process an individual’s data you must have the explicit consent of that individual. This means that the individual must actively agree to share their information with you for a clearly stated purpose. Pre-ticked boxes, silence, and inactivity are not considered forms of consent.

 

For example, if you offer a free lead magnet on your site like an ebook or white paper in exchange for someone’s email address, you may not also automatically sign them up for your newsletter without their consent. You must either state in your free opt-in form that by entering their email address they are also agreeing to receive your newsletter or you may ask for their consent after the fact when you email them their free opt-in.

 

MailChimp has put together GDPR-friendly forms to help you comply and Constant Contact offers a ‘Consent Confirmation’ template for its users.

 

  1. Update your privacy policy and include it on your website

In the spirit of transparency, it’s important to review your existing privacy policy as it applies to user data (or you may need to create one in the first place). A clear link to this policy should be included on your website anywhere that you collect data. (Directly below your newsletter sign-up or contact form, for example.) This policy is essentially a short public notice explaining in clear language how your business applies data protection principles to processing data.

 

Here’s a breakdown from IT Governance of what your privacy policy should include:

 

  • Who is collecting the data?
  • What data is being collected?
  • What is the legal basis for processing the data?
  • Will the data be shared with any third parties?
  • How will the information be used?
  • How long will the data be stored for?
  • What rights does the data subject have?
  • How can the data subject raise a complaint?

 

  1.  Increase the security of your data storage

Any user data you collect must be stored in a way that doesn’t put your users’ identity at risk or expose sensitive information to malicious parties. One way to do this is by encrypting any information that’s sent through your website. Pseudonymization also protects your users by preventing any stored data from being connected to an individual.  

 

  1. Instate a BYOD policy

If you have employees who access work email or other company data with personal devices, including smartphones, you should make sure you have a GDPR compliant BYOD policy in place. For more information on when you should create a BYOD policy and what to include in it, read our blog post, Why You Need a BYOD Policy and How to Create It.

 

  1. Establish security breach procedures

The GDPR expects businesses to have a plan in place when personal information is exposed or compromised in the case of a data breach. You should have systems in place to prevent and detect any malicious activity or gaps in security. If a data breach does occur, you should have a system in place that immediately notifies affected users of the breach.

 

For those concerned their business may not be in compliance with GDPR keep this advice from TechRepublic in mind:

 

“The GDPR requires businesses to make every effort to mitigate the damage security breaches have on people, particularly EU citizens. To that end, it is vital that all enterprises take measured and documented steps to close security vulnerabilities, prevent security breaches, and mitigate the risks when prevention fails. The mere fact that an enterprise made a substantial and documented effort in this regard could be enough to establish GDPR compliance and avoid substantial fines and penalties after a security breach.”

 

 

Has your company started the GDPR compliance process? Were you aware of GDPR before reading this article? Let us know your thoughts and concerns by reaching out on Twitter to @PagodaTech.

 

For more information on the GDPR and how to comply, we recommend the following articles:

 

 

Related Pagoda posts:

 

 

Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and learn how to protect and grow your business with monthly IT tips from our experts. Subscribe today.

 

Need ongoing IT support for your business? Contact us for a free consultation. We’d love to work with you!

 

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.

 




Return to Pagoda Blog Main Page