ARE YOU GDPR COMPLIANT?
What GDPR Means to Minneapolis Businesses
The GDPR is the EU General Data Protection Regulation, and it’s the biggest change we’ve seen in data privacy regulation. It’s a new law that took effect on May 25, 2018, and it has far-reaching implications on all businesses around the world.
The purpose of the GDPR is to give EU (European Union) citizens control over their personal data, regardless of where that data goes in the world. And many other countries are modifying their own privacy laws to align with the GDPR.
We’ll cover in plain language what your business needs to do because of the GDPR.
We make sure your brand is in good hands, Get Started Now
Disclaimer: We are not lawyers. Nothing on this website should be considered legal advice.
Does the GDPR affect US businesses?
Yes. The GDPR affects all businesses in all countries.
Also, the US has signed reciprocity agreements with the EU. Basically, if an EU citizen can access your website or use your business, then you are affected. And remember, there are plenty of dual citizens out there, so your neighbor could be an EU citizen and you don’t know it.
What do I have to do?
You need to do several things:
- Find out what data you have and who has access to it
- Find out what data you collect and who has access to it
- Make sure when you collect data you are getting explicit permission
- Only collect what you need
- Inform people of your data policies & follow them
- Protect the data you have & notify people if you fail to protect the data
- Allow people to access & delete their data
- Still obey any national, state, and local laws
Is there a template I can get?
Since this is new legislation there is no black & white definition of “complete compliance” with the law.
However, there are a lot of things you can do to protect your business and make sure you aren’t flagrantly violating the law. What you need to do is put together a set of privacy policies, tools, and internal procedures for handling this new law.
Find out what data you have and who has access to it
The first step to following the GDPR is to take an internal inventory of your data. If your business has been around for a while, then you have a lot of data on customers, vendors, employees, etc. You need to inventory all of the data that you have and also determine who has access to it.
Many companies when inventorying their data discover they have a lot of data they don’t need, or they allow access to that data to people who no longer even work there!
Find out what data you collect and who has access to it
The next step is to find out how you are collecting personal data about people. Below are some common questions to ask yourself:
- Are you collecting email addresses when people sign up for a newsletter?
- Are you collecting information from website forms?
- How do you handle information when someone calls your business?
- What is your customer onboarding processing?
- What vendors have access to your customer information?
- What employees do?
And while determining who has access, you also need to make sure that those with access are ok. For example, you can’t send data from a compliant country (like the US) to a non-compliant country (like India) without taking a lot of specific measures to ensure data protection.
Make sure when you collect data you are getting explicit permission
Only collect what you need
You should only be collecting data that you actually need to have. If someone is signing up for a newsletter list, you need their email address. You don’t need their date of birth. The new law specifically states that if you don’t have a business need to know the info, you don’t get to ask for it.
Inform people of your data policies & follow them
All businesses now need clearly displayed privacy policies on their websites. You need to tell people what you do with data, how it is handled, and what it is used for. And once you have these policies, you need to follow them.
Protect the data you have & notify people if you fail to protect the data
Under the new law, you are required to notify people promptly of a data breach. That means, you need to know promptly if there is a data breach.
This creates an implicit requirement that you have routine (daily) monitoring of your data and security so that you would know if there was a data breach.
You also need a procedure for if a data breach is discovered, for how to repair the breach and notify people.
Allow people to access & delete their data
Under the new law, people have the right to request to know what information you have on file about them. For example, you can now request from Facebook a data download of the information they have about you.
Under the GDPR, people can request:
- A copy of the data you have about them
- Deletion of the data you have about them
Still obey any national, state, and local laws
While this new law gives people a lot of access to and control over their data, you are still required by many laws to retain certain data.
For example, if you have a customer you are required to keep a bit of data about them for tax purposes. Even if that customer requests you to delete the data about them, you must keep all data needed for tax purposes. If you had them on a mailing list, however, you would need to remove them from that.
So you need to develop procedures for determining how you can comply with various requests depending on the circumstances.