Disclaimer: This blog post is to be considered as a guide to help you understand the principles of the GDPR. It is not to be treated as legal advice. If you’re looking for legal advice, contact a lawyer familiar with the laws of your jurisdiction and ask her/him for legal advice and answers to specific questions about your business and website.
GDPR, the European Union General Data Protection Regulation, goes into effect May 25, 2018. If you’re not familiar with GDPR, read up, as it could result in heavy fines for companies who are non-compliant.
Did I say heavy fines? Oh yeah.
Up to 12 MILLION DOLLARS in fines for non-compliance.
That’s 12-million with a 12 and a million.
You don’t have to be a European Union business owner to be affected by the GDPR; as long as you’re collecting email addresses or any other information protected by privacy laws, you are required by law to comply.
In other words, the GDPR applies to all companies processing and holding the personal data of anyone who resides in the European Union, regardless of the company’s actual location. It gives individuals 8 rights when it comes to protecting their privacy.
If you’re a United States business, and you’re collecting data of EU citizens, regardless of whether you’re providing free or paid goods and services, you are impacted by the regulation.
What constitutes personal data when it comes to GDPR?
Personal data is any information that can be used to identify a person, including their name, a photo, an email address, bank details, posts on social media, even a computer IP address.
Don’t rely on your Privacy Policy to do the heavy lifting for you. Users must be made aware of the salient facts in an easy-to-read notice, using plain language (not legalese), at the point of consent or data collection.
In other words, a simple link to your Privacy Policy is not enough to cover your assets when it comes to the GDPR. However you will need to beef up your Privacy Policy to be compliant.
You need to get CONSENT with a capital C.O.N.S.E.N.T.
The conditions for consent have been strengthened; Companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Remember, the EU GDPR applies to businesses who are accessing the personal data of EU residents for whatever reason, whether it’s to deliver free or paid information/content and or programs and services.
I have just added new content regarding the GDPR in my DIY Legal Toolkit as well as a new beefed-up Privacy Policy template and a checklist to help you get GDPR compliant. If you’re already an owner of the Toolkit, you get that content automatically! (Mega Toolkit owners always get access to all new content that’s added to the kit.)