A basic GDPR overview for U.S. websites

The General Data Protection Regulation (GDPR) was approved by the European Parliament and Council in April 2016 as the primary law regulating how companies protect EU citizens’ personal data. In addition to businesses located in the EU, any business that collects, processes, or stores the personal data of EU citizens is subject to the new regulation regardless of its location. Under the GDPR, “personal data” means information relating to an identified or identifiable person. This information could be a name, phone number, email, ID number, location information, photos, IP addresses, cookie strings, and social media posts.

Failing to abide by GDPR rules, which became effective beginning on May 25, 2018, can lead to stiff penalties and fines. If you run a website or app that is used by citizens of the EU, it’s time to make some changes to your personal data policies. Most of these changes should be discussed thoroughly in your Privacy Policy and implemented in your internal protocols. Here are a few of the major changes that may apply to your business:

  • Stronger Consent Required. One of the biggest changes is to the consent requirement. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. Make sure all consent forms are unchecked by default and have an easy-to-understand confirmation process.
  • Further Explanation Needed. Vague descriptions of what data you are collecting are no longer sufficient in your Privacy Policy. Now, your policy must inform visitors how their information is being collected, the type of data being collected, the reason it’s being collected, and how long the information is being held for. Third-party vendors and data processors must also be explained to users if your website shares data with, for example, an analytics, marketing, or cybersecurity company.
  • Breach Notification. Under the GDPR, breach notification is mandatory within 72 hours where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” Companies must develop and adhere to thoughtful procedures for notifying the relevant data protection authorities of a data breach. Data processors will also be required to notify their customers “without undue delay” after first becoming aware of a data breach.
  • Right to be Forgotten. Users will now have the right to have their data deleted at any time. It’s important to have a process in place for easy data deletion. Similarly, a user can request a copy of their data, making it imperative to have a log and ability to retrieve such information upon request.
  • Email Marketing. Under the GDPR, email marketers must collect freely given, specific, informed and unambiguous consent. The GDPR not only applies to the data collected on its effective date, but also to data gathered before. Thus, depending on how user data was collected in the past, you may need to unsubscribe users and ask for opt-in consent in order to comply with the new GDPR standards.

There are many other changes to account for thanks to the GDPR. It’s worth speaking with an attorney about your current data policies to check if the GDPR applies to you and, if so, develop your protocols and Privacy Policy that are in compliance.