As one of the world’s largest social media sites faces backlash from sharing private consumer information with an analytics site, it should be no surprise that regulatory agencies are taking extensive steps to keep companies from invading the privacy of customers and others who visit their websites. In particular, the 28 nations of the European Union have banded together to create new data regulations to keep its citizens safe from invasive advertising.
The General Data Protection Regulation (GDPR) is the first data security improvement made in the European Union since 1995. It is intended to guarantee that consumers in the EU don’t have to worry that their sensitive private information is being passed around to third-parties.
As a business owner, these new regulations put the responsibility on you to keep your customer’s information safe. GDPR will affect companies globally, as it refers to the processing of data of European citizens, regardless of where the company in question is based.
Implications of the GDPR
If you regularly market your service to a global market, you are responsible for complying with the GDPR, even if you don’t typically have a customer base in Europe.
If you require visitors to register with your site or provide personal information like their phone number, email address or credit card number, you will be required to follow the new regulations. And if you’re not sure who your audience is or how much information they provide, it would be wise to adhere to the GDPR, since the fine for failing to comply are extensive, up to €10 million or 2% of your company’s global revenue for a simple infringement.
Components of the General Data Protection Regulation
The new regulations for business owners in the United States require them to carefully consider how they track and store consumer information, as well as what they do with information once they have received permission to use it. Included in the new regulations:
- Consumers who visit your website must give you “explicit” permission to use their private information, and you must be specific about what you will be using it for. You cannot simply provide a link to a legal document providing the terms and conditions, but must provide a check mark box or text box where they can specifically consent to giving information.
- You will have to have permission from the consumer for each step of processing done with their personal information. For example, not only must they consent to giving you their private information, but you must have their permission if you plan to share their information with marketing executives or third parties.
- If information has been compromised or lost by your company, you have 72 hours to report this breach to an EU regulator or other supervising regulatory agency. This includes information that is accidentally provided to a third party or has been viewed by unauthorized people, even if those people were in your own company.
- If private information such as a person’s credit card number or bank information is leaked, you will also have to inform the customer of the breach of information.
What this means for your business
If you have a large Internet presence, you probably already have data security protocol in place, such as ISO 27001 or PCI DSS, but if you don’t, this is the time to invest in such standards to save yourself the inconvenience and cost of a possible breach of information.
To protect yourself, you can also put a Security Information and Event Management (SIEM) tool into place. This will allow you to follow a procedure intended to keep private information secure.
About the author
Tim Becker Partner at Minneapolis’ Johnson // Becker PLLC, and lead sponsor of WageAdvocates.com. He is committed to providing clients effective, aggressive legal representation, and has prosecuted numerous individual FLSA violation claims.
Image licensed from Depositphotos.com