The internet has not only changed the way we communicate and handle everyday tasks but also where our personal data is collected, stored and shared with others with whom we interact online. We enter personal details online without stopping to wonder how much we have shared and what happens to that information. Every time we fill out a form, purchase an item online or even visit a website, we are sharing data with someone and in turn, they may be sharing or even selling that information.
In the United States, regulators have been slow in keeping up with these momentous changes. However, on May 26 2018, the Parliament of the European Union passed the General Data Protection Regulation (GDPR) which changes the way businesses can collect, store, and use customer data. It will apply to all companies selling to and storing personal information about European citizens.
Do the new GDPR guidelines affect your business?
The way you collect, store and share data must conform with GDPR guidelines if:
- Your business has a physical presence or employees located in Europe; or
- Offers goods or services to residents in Europe (even over the Internet); or
- Collects or handles personal information from people living in Europe; or
- Monitors the online behavior of people residing in Europe;
If you are found in violation of the GDPR, you or your business can be fined up to 4% of your global revenue or €20 million, whichever is higher.
What should you do to protect your business?
Our team has compiled a few tips on how your data collection process should be handled and how you can avoid
- Map your company’s data – identify where the data resides, who can access it, and what risks there are in keeping it.
- Determine the type data you need to keep. Identify a clean-up process and ask why you’re keeping the data. If you have more data than necessary, it will be harder to slide by the new GDPR.
- Put security measures in place to protect the data you have or may acquire in the future.
- Review your consumer disclosures and make adjustments to your website where necessary. Individuals now must explicitly consent – pre-checked boxed and implied consent are no longer acceptable under GDPR.
- Request consent to keep personal information of the consumers that you already have.
Even if you believe that your business does not interact with, market to or collect data from European residents, checking your Privacy Policies to ensure that they are GDPR-compliant is highly advised to ensure the most protection for both your company and your consumers.
If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR. Our expectation is that legislation in the United States will largely follow the GDPR.
DiSchino & Schamy is a boutique, Miami-based law firm which specializes in corporate, business and intellectual properties for businesses in the creative industries. For more information about the GDPR, how it applies to you, and what changes need to be made to your website and newsletters, please visit www.EUGDPR.org or contact our team by e-mailing us at firstname.lastname@example.org.
By: Christopher DiSchino (July 10, 2018)