Are you wondering why your email inbox has been filling up with privacy policy updates from every company you’ve ever heard of? The answer is GDPR.
The General Data Protection Regulation (GDPR), an EU privacy law, becomes enforceable on May 25, 2018. This applies to all parties who use the Personal Data of EU citizens – even if the company is based in the U.S. And the fines for noncompliance can be severe. If you have any questions or concerns about how this affects your company, please feel free to contact me. Below is a general overview.
What Is “Personal Data”?
Personal Data means any information relating to an identified or identifiable individual. This can be understood to include names, addresses, email addresses, IP addresses, and much more.
Anyone who collects, changes, transmits, erases, or otherwise uses or stores the personal data of EU citizens must comply with GDPR. So, for example, if your email list includes EU citizens, you have to comply with GDPR.
Under GDPR, in order to use Personal Data, you need a legal basis to do so. The most common legal basis is “consent.” This consent must be both specific and verifiable.
So if someone asks how their info is on your list, you have to be able to show exactly how and when they provided consent. If you don’t have those records, you should delete their info from your list.
Obtaining Consent
When someone is added to your mailing list in the future, you must obtain consent – and there are specific rules about how that consent should be obtained.
- Consent to the use of Personal Data has to be specific to distinct purposes.
- Silence, pre-ticked boxes or inactivity does not constitute consent; people must explicitly opt-in to the storage, use, and management of their Personal Data.
- Separate consent must be obtained for different processing activities. You must be clear about how the Personal Data will be used when you obtain consent.
Here are a few guidelines to follow: (a) a positive opt-in is required; (b) it must be separate from other terms & conditions; and (c) it must include a simple way to withdraw consent. For example, once someone opts-in, they may receive a confirming email with a simple way to withdraw consent to particular uses of their Personal Data.
Privacy Policies
If you collect any kind of data through your website, you should have a privacy policy. Those policies will need to be updated to comply with GDPR. Please feel free to be in touch if you would like a review of your website’s privacy policy.
Penalties for Non-Compliance
The fines for non-compliance with GDPR are up to 20 million euros, or in the case of a company, up to 4% of their total global turnover (meaning total annual revenue) in the previous fiscal year, whichever is higher.
The bottom line is that companies are going to have to be much more aware of their privacy policies and ensure that any Personal Data (especially pertaining to EU citizens) was obtained with proper consent.