by Gabriel Shaoolian, founder of DesignRush
On May 25, 2018, the European Union implemented new Internet regulations called the General Data Protection Regulation – GDPR, for short. This new law has been the biggest overhaul in data privacy regulations in 20 years, according to the official site.
Essentially, the GDPR create a universal standard for online privacy, data and information gathering across all European Union countries – similar to federal regulations that standardize laws across all 50 states in America. All 28 EU countries must now collect, process and store consumer information in the same fashion, which basically gives more control to consumers, enabling them to give and withdraw consent more easily. The new regulations replace the 1995 EU Data Protection Directive and the 1998 UK Data Protection Act.
Although the GDPR applies to European countries, it doesn’t just apply to Europe-based companies. In fact, any businesses that provide services to people residing in Europe must adhere to the new regulations. This includes e-commerce websites that ship internationally, content news sites accessible in the European Union, social networks like Facebook and Instagram, and more.
Businesses Must Specifically Ask For Consent.
Although it sounds a bit strange, businesses must specifically ask for consent to provide consumers and visitors with information – even if they click onto their website. Because of this, you may have seen some popups at the bottom of a web page asking for your explicit consent to view the content or received new “terms of service” emails informing you of the new policies and/or requesting you re-opt into email newsletters.
It’s important to note that businesses can’t just create one overarching request for consent that covers all forms of content, information collection, email delivery and more. Instead, each request should be separate and specific to ensure that consumers (or their legal guardians, if users are under 16 years old) understand what they are agreeing to.
Consumers Have A “Right To Be Forgotten”.
Speaking of consent, consumers have the right to be forgotten by a brand, aka completely revoke their consent to give information, receive communication and more. Many may remember this idea from the Google court case in 2017, which required the site to remove results from all search listings following a delisting request. The GDPR gives this idea a stronger foundation.
Because the GDPR aims to give control of information back to consumers, not brands, this means customers should be able to easily locate where they can remove their data and opt out of communication. Should they want to do so, businesses shouldn’t just remove them from lists but keep their information, but completely scrub their files if requested.
Companies Will Need To Prove They Are Protecting Data.
Business accountability is a hallmark feature of the GDPR, and one aspect that ensures compliance from all companies operating within the EU in some fashion online. Because the privacy laws are fairly complex compared to the previous regulations, there are several resources businesses can use to ensure they are fully compliant.
Some of these tools include a Code of Conduct or a formal certification from an accredited body. Although these are optional, they will likely make proving your compliance very easy in the future and could alleviate unnecessary stress should your site be audited for privacy and security by the EU.
Some of the data that companies must protect under the EU GDPR include:
- Consumer name, address, contact information and ID numbers.
- Banking and credit card information.
- Personal information, like sexual orientation, racial information, medical records, health and gene information, and political affiliations and opinions.
- Web and computer information, such as location, IP address, cookie data and RFID tags.
Data Breaches Must Be Formally Reported.
Another big feature of the General Data Protection Regulation is the requirement to report any data breaches to the organization. Prior to the GDPR, businesses weren’t necessarily required to inform individuals of all cases of unauthorized access or inform a particular formal entity, instead sometimes dealing with any hacks internally. Now, in cases of important hacks that risk consumers personal information or could damage their finances or reputation, businesses must formally inform the GDPR within 72 hours and any affected consumers. Although it seems obvious, this stronger tracking of cybersecurity is a key to a safer Internet for everyone.
Online Businesses That Are Not Compliant Will Be Penalized.
The GDPR isn’t just empty regulations with no follow though – businesses operating in the EU that are not complying with all regulations will be penalized. Most likely, this will occur in the form of a hefty fine — anywhere from €10 million to 4 percent of your annual global turnover – commensurate with your specific violation. Therefore, if you aren’t compliant yet but should be, it’s in your best interests to hop-to and ensure you are.
Although the EU General Data Protection Regulation is a complicated set of rules, they only serve to make the Internet a safer place for businesses and consumers alike, which is extremely beneficial in this increasing digital world.
Existing businesses should work with accredited professionals and EU representatives to ensure they are covered in every GDPR aspect to protect their customers and stave off unnecessary fines. Meanwhile, new businesses and startups should keep GDPR regulations at the forefront of all business growth conversations to avoid having to backtrack and meet requirements retroactively. But hopefully, by adhering to GDPR regulations, online businesses will see less security and data breaches, creating a world wide web conducive to global business.
Gabriel Shaoolian is a leading digital trends expert, entrepreneur and founder of DesignRush, a digital destination to inspire creativity and the discovery of design and technology trends.