New EU data protection regulation (GDPR): why you should pay attention
The General Data Protection Regulation 2016/679 is an EU regulation on data protection and privacy that applies to all citizens and residents of the European Union. Adopted in 2016, the GDPR becomes directly binding on May 25 for all companies that collect, store, and/or process data of customers from the EU. The regulation can also affect services that track and analyze users’ online behavior for advertising or marketing purposes.
I’m a business owner. What does GDPR mean for me?
It’s the customer’s location that matters, not the company’s
First of all, you should note that the GDPR applies not only to businesses based in the EU, but to any service provider working with European customers. If your company website is translated into European languages or uses top-level domain names tied to specific European countries, it is clear that EU customers are your target audience.
Before you can collect any data, the user must give their consent for you to proceed with processing the customer’s personal information. The user must take certain actions to confirm their agreement with the provider’s data policy, like ticking an “I agree” checkbox – the box should not be pre-ticked!
Note that the user also can withdraw their consent for data processing at any time. Make sure that you have instructions on how this can be done and that they can be easily found on your website.
It’s up to you to make customers informed
The user must know what data is being collected, how long it is stored, for what purposes, why it is needed. Providing links to relevant law acts is a great way to explain what your policy is based on and at the same time show that you are standard-compliant.
You must be technically prepared
You might have to upgrade the technical capabilities of your systems to ensure that the data can be pseudonymized (encrypted). The necessary protection mechanisms must be integrated into your business processes. By default, the maximum security level must be set for all customers’ accounts.
Sanctions are tough
The GDPR is to be taken seriously: the infringement fine can reach 20 million EUR.
I’m a customer. What does GDPR give me?
Maximum control over your personal information
The GDPR’s goal is to enforce the rights of individuals to influence the processing of their personal data. The right of access means you can request full information on how your data is handled, with whom it is shared, and obtain a copy of the data itself. You can also request that your data be deleted from the provider’s database.
You have a right for data portability which means that a Merchant must ensure that personal information stored in their system can be transferred to another system in an electronic format. This can spare you the time of entering your data when registering with a new service, allow you to transfer your product preferences when signing up for a new online shop, etc.
The GDPR harmonizes the handling of personal data across the EU: in fact, it means that companies now have one uniform regulation to deal with instead of multiple national laws, which, of course, must simplify compliance procedures.
But the GDPR’s main focus is on the customers’ rights: users get significantly more control over the information they make accessible to service providers.
This is to remind you how and why we collect, process, and store your personal data.