GDPR is a new set of EU regulations going into effect on May 25, 2018. It provides citizens (and potentially non-citizen residents) of the European Union greater protections and rights pertaining to what companies can do with their personal information. The primary objective of GDPR is to protect individuals by reducing the amount of personal data available to organizations, and to provide them additional control over that data. Once this law goes into effect, the penalties for non-compliance increase significantly, and care has been taken to make these penalties enforceable globally.
Yes. Any website anywhere that collects and uses personally identifiable information about an individual residing in the EU must comply with GDPR. The regulation states that penalties are enforceable regardless of the country in which the company using the data operates.
The EU GDPR laws apply quite broadly. The legislation defines “personal data” as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.” This information includes, but is not limited to:
GDPR grants users the ability to access their data in several ways, including:
A user requesting such information must provide the site operator with details necessary to identify that user. Be prepared for such requests; Determine what information you require to verify individual identify and locate their information within your systems.
Your responsibility for maintaining GDPR compliance will vary based on the nature of your business, target markets, and data collection methods your organization has implemented. The GDPR has many requirements about how to collect, store, and use personal data. Take these steps to evaluate your data’s compliance with the new regulations:
Educate your organization on GDPR compliance requirements and appoint a primary point of contact for digital privacy related enforcement and education.
Review all systems within your organization that collect or process end user data. This is not limited to your website platform. Consider CRMs, ERP Systems, Marketing Automation tools, and more.
Review your procedures pertaining to the collection, storage, and processing of personal data falling under GDPR. Be mindful of the new data retention regulation and set up periodic reviews and audits of your data.
Set policies and processes for effectively and appropriately reporting data breaches pertaining to data falling under GDPR. Be able to easily extract user data from your database.
Take a deep dive into this process in our whitepaper: A Closer Look at GDPR and How it Affects Your Company's Data Process and Management.
Yes. The GDPR requires that before collecting or processing personal data, controllers must have a specific legal basis to do so. Organizations must provide:
Acquiring agreement could be as simple as including a checkbox on a form that requires users to confirm consent to the collection and storage of information before they can submit their requests. It must also be easy to remove that consent if requested.
GDPR penalties fall into two tiers, depending on the severity of the infraction:
The tier applied will depend on the nature, duration, and severity of non-compliance, including:
Are you a Titan CMS user? Read how the GDPR will impact your Titan CMS instance here.