If you are in the business of doing business, then you might have heard of GDPR right now. To summarise, it’s a set of laws to protect the rights of EU citizens in relation to their personal data and privacy. And with these new rights comes responsibility. For whom?
Surely these EU laws don’t apply to you as a non-EU business, right?
The GDPR laws cross borders, in the sense that the rights of the EU citizens apply world wide, to any business that (wants) to collect their personal data. These laws are there to protect the citizens of the EU regardless of the location of the party that is collecting their data.
The “Big Guys” already understood that message. Google, Facebook and other giants are developing GDPR measures and are updating privacy statements left and right. Of course, a compelling reason for them to do so is the enormous penalties.
If you are a business owner, the answer of whether GDPR applies to your business depends on the answer of the following question.
Do you collect and process data of EU citizens?
If you don’t, then GDPR doesn’t affect you since nobody will apply their GDPR rights on the data you collect. Which can change the moment
If you answered “yes”, then that means GDPR will affect your business. No matter if your business is located in Brussels (capital of the EU), Laos or a click farm in Alabama. The rights of the EU citizens in regard to their data doesn’t stop at the EU border.
Does that mean it’s time to panic?
Well, it’s almost the 25th of May, so you decide…
Okay, it’s not time to panic. But you should prepare for the impact that GDPR will have on the way you collect and process data. The GDPR is a big document and I’m not going to give you any legal advice, but what I will do is summarise the rights given to EU citizens under the new law, and what you can do to adapt.
Consent to collection of data
EU citizens have to consent to the collection of their personal data, and this consent has to be given in an irrefutable way. They also have to give consent for the specific usage of their personal data. They also have the right to be informed about what their personal data will be used for.
E.G If you run a newsletter, under the GDPR
- They need to be informed about what you’ll use their name and e-mail address for. Even if it’s obvious.
- They need to consent to using their personal data, for specific usage. IF they didn’t give consent to “send advertisements or related information”, then you can’t send that sort of information.
- You’ll need to be able to prove that they gave consent.
- They have a right to know who will process their data, and have to consent. You can’t transfer their data to third parties without their permission.
Changing, removing and requesting their data
Under GDPR, EU citizens are given rights in regards to personal data that you already own. They have been given the following rights:
- The right to change and complete personal data
- The right to delete (all) personal data you’ve collected
- The right to learn what personal data you collected. This data must be sent to them in a clear, readable format.
None of the above rights will lead to outrageous changes to the way you offer services to EU citizens. It might mean that you need to review your procedures. Maybe the way you collect data will be a little bit less sexy.
And if GDPR somehow means that you can suddenly no longer collect their personal data at all… Well, then you should take a good hard look in the mirror and ask yourself what kind of business you were running in the first place.