The EU General Data Protection Regulation (GDPR) is a significant piece of European legislation that came into force on May 25, 2018. It builds on existing data protection laws, strengthening the rights that EU individuals have over their personal data, and creating a single data protection approach across Europe. With potential of fines up to €20 million or 4% of annual turnover, its impact is undoubtedly wide-reaching.
While the GDPR is an EU law, it applies to any company that makes its website or services available to EU citizens, including US companies. While there are many facets to this law there are a number of key things a business needs to be aware of to comply with these regulations.
Transparent Policy & Consent
Businesses need to be clear how they process data in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”. This requires a clear Privacy Policy. According to the EU one easy way to avoid large GDPR fines is to always get permission from your users before using their personal data.
Under GDPR businesses are also required to provide customers with the ability to export their data, so they can see what has been collected.
Data Processing Agreements
If you use third parties to handle user data in any way it is important to have a data processing agreement in place that establishes the rights and responsibilities of each party. A good example would be if a company uses a cloud service provider such as Amazon Web Services who provides a Data Processing Agreement (DPA).
Data Transfer Agreements
If a business collects personal information from any EU citizen and transfers it to non-EU countries you may need to self certify under the Privacy Shield Framework.
Data Breach Reporting
Businesses are required to notify the relevant authorities in the case of a data breach. There are important considerations and duties around these requirements detailed in Articles 33 and 34.