The 5 Most Common Questions About GDPR
There are some major changes happening in how companies manage user data. The General Data Protection Regulation came into effect last month, which has serious implications for how companies—in Europe and all over the world—use the data they collect from consumers.
At Funk/Levis, we are constantly using data and analyzing trends and we wondered how this new regulation might have an impact on our clients’ business, even if they are US businesses. From what we found out, here are the five questions you should know the answers to so you can make sure your business is GDPR compliant.
What is GDPR?
The General Data Protection Regulation is a new law coming into effect in the European Union (EU). It replaces the 1995 Data Protection Directive and will strengthen the rights of individuals over their personal data as well as hold companies accountable for violating these rights. If companies are found in violation of the regulation, they can face fines as high as 20 million Euros (or 23,547,000.00 US dollars, based on the current exchange rate) or 4% of their global revenue.
What is personal data?
As defined by the European Commission, personal data is “any information that relates to an identified or identifiable living individual.” For example, your email, name, date of birth and current city would all be considered personal data. Companies often use pseudonymization and anonymization to “de-personalize” data. However, GDPR outlines that personal data can only become de-personalized if the data can no longer be used to identify an individual.
What is a data processing agreement?
A data processing agreement is part of the terms of service you’ve agreed to on any number of accounts you’ve created. For example, LinkedIn. This agreement between you, the data controller, and the company, the data processor, governs the processing of your sensitive personal data by the company. In the past, these agreements have used very vague language and it hasn’t been clear as to exactly how companies use your data.
This is going to change. Under GDPR, data processing agreements will be required to have easy understood and accessible information for consumers to sign. They will also give consumers the right to get copies of their data, the right to information on how their data is being used and the right for their data to be forgotten, also known as data erasure.
What is GDPR compliance?
To be GDPR compliant, a company will need to carefully handle any sensitive personal data it collects from consumers and provide consumers with ways to control, monitor, check and delete their personal data. This also requires companies to report any data preach that may threaten these individual rights within 72 hours.
Does GDPR affect U.S. businesses?
Even though GDPR only applies to EU citizens, it affects companies geographically outside of the EU. GDPR applies to any company that has a database that includes EU citizens. This means that US businesses—of any size—will have to comply with this regulation.
What does this mean to you?
Sorry, there’s a sixth question you also should know the answer to. It’s still unclear what kind of lasting effect GDPR will have on companies and revenue. What is clear is that every company—not matter the size—needs to be more responsible and transparent about how they use consumer data. For everyone else, this means you might want to take a closer look at all those privacy policies you sign without reading first. Take a closer look at those updated policy emails you’ve been getting in your inbox and know how your personal data is being used.