The most important changes in data privacy regulation for the past 20 years will go into effect on May 25th, 2018. Every company that offers goods and services to European Union (EU) citizens or collects their personal data must comply with the new EU privacy rules. Companies that do not abide by these new rules may be fined up to 4 percent of their global revenue. Hence it is absolutely vital for companies to make necessary updates by the stated date in order to avoid potential penalties. Over the last few months, we’ve worked with many of our clients on implementing these new rules and want to share our experience in this article.
Who is affected by the new EU privacy rules?
The new rules for sharing personal data online are collectively called the General Data Protection Regulation, or GDPR, and passed by the European Union. This EU law has 11 chapters and 99 articles and aims to protect personal data and digital privacy.
While these new privacy rules apply in Europe, they affect companies all around the world. According to the GDPR, it doesn’t matter where your business is located or headquartered if you meet either of these criteria:
- offer products or services to citizens of the EU;
- collect personal data from the EU citizens.
For example, if your company is based in the US, but collects email addresses from the citizens of the EU, the law affects you. The GDPR (as a regulation, not a directive) doesn’t require national governments to pass legislation. Therefore, businesses must comply with the rules to avoid severe severe fines.
What does this law mean for you and your customers?
You can collect a lot of personal data from your customers, including their name, email address, credit card numbers, Facebook ID, and IP address. According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life”.
The GDPR strengthens individual privacy rights and requires companies to be more transparent about how all personal data is handled. With the new rules, your customers can ask what kind of personal information you collect. It must be possible for customers to download their private data from you and transfer it to another vendor (which may even be your direct competitor). Customers may also can request to permanently delete their personal data.
How will big tech giants comply with the rules?
Many companies have already notified their users about policy changes. Google shared their updated version of privacy rules that will take effect on May 25th, 2018. Amazon confirmed their compliance with the GDPR and introduced features and services on their General Data Protection Regulation Center webpage.
Facebook announced updates to its privacy policies and unveiled new tools that provide access to your personal data. For example, users in the EU will be asked whether they want to turn off the face recognition feature and whether they want to see targeted ads based on the political, religious, and relationship information. Facebook will prompt users to agree to its terms of service and data policy that were revealed earlier. In particular, they introduced Access Your Information, which makes it possible to download a secure copy of your personal data including pictures, contacts, posts, and more.
What do the new privacy rules require?
- Companies must provide users with the right to access their personal information. A copy of the information must be available free of charge and in an electronic format. Users will have the legal right to transfer their data to another entity that also collects data.
- Users will have the right to be forgotten. They should be able to erase certain personal data, stop further dissemination of the information, and have the potential to require third parties halt processing of their data as needed.
- Breach notification will become mandatory and must be done within 72 hours from when you first become aware of the breach.
- Consent has to be clear and distinguishable and provided in an intelligible and easily accessible form.
- Penalties may be severe. The maximum fine is up to percent of annual global turnover or €20 million (whichever is greater). For Facebook, that would be $1.6 billion; for Google, $4.4 billion.
Check the full overview of the main changes and find out how they differ from the previous directive on the GDPR portal.
- Identify the data controller that collects information from EU citizens (usually, it is your company). Also, make sure to include your contact information.
- Don’t forget about lawful reasons for processing data. For example, a person can give consent to the processing of their personal data for one or more specific purposes.
- List out the rights users have under the GDPR – the right of access, right of rectification, right to erasure, right to restrict processing, right to data portability, right to object, and right not to be a subject of automated decision-making.
- Inform users whether you use personal information to make automated decisions (i.e. credit scoring, profiling users, etc.).
- Let users know whether providing personal data is required and what happens if they don’t. For example, an email address may be required to create an account.
- Tell users whether you transfer their personal data to third countries or international organizations.
How do you change your signup forms?
Don’t forget to update your signup forms. Silent or soft opt-in is no longer acceptable for GDPR consent.
According to the new EU privacy rules, companies are obligated to prove that they have the consent of users for the right to process their personal data. Collect consent from new contacts accordingly and get the permissions of existing contacts – just conduct a consent campaign regarding the GDPR.
MailChimp has introduced a step-by-step guide on how signup forms can help companies comply with the GDPR.