GDPR Compliance: What You Need to Know
In 2016, the European Union (at the moment this includes the United Kingdom), passed the General Data Protection Regulation (“GDPR”, (EU) 2016/679), which sets stricter requirements for data privacy and protection for companies in the EU and those that do business in with EU residents. The GDPR set a new standard for data protection, as well as access to information for customers.
As you may have heard, May 25, 2018 is one of the important deadlines for businesses that have, collect, or transfer any personal data (from customers, employees, or other parties) from or within the European Union to comply with the terms of the GDPR. It is important to note that failure to comply with these changes can include the possibility of being issued a warning, reprimand, receiving a ban on processing data, or fines of up to €20 million or 4% of the business’s total annual worldwide turnover.
Personal data is defined broadly under the GDPR to include “any information relating to a data subject.” Additionally, a data subject is defined as the identified or identifiable person to whom the personal data relates. This broad definition means that names, addresses, phone numbers, email addresses, medical, employment, financial, location, and many other forms of data are considered to be personal data under the GDPR.
Be Aware of the Recent Changes
As we mentioned, there are many other changes regarding how you are allowed to collect and process personal data and what you are required to communicate with customers. There are are also steps you can take if you receive data from the EU to certify your compliance with key aspects of the GDPR. If you have customers in the European Union, we encourage you to contact us directly to discuss your data collection practices, documents, and operations, in more detail, but here are a few examples of changes you will need to make to your data collection and management practices:
- Data must be processed in a, lawful and transparent manner.
- You must have a specific purpose for processing the data and you must indicate those purposes to individuals when collecting their personal data (you cannot simply collect personal data for undefined purposes).
- You must collect and process only the personal data that is necessary to fulfill the purpose stated in #2.
- You must ensure the personal data is accurate and up-to-date.
- You cannot use the data for any purpose that is non compatible with the original purpose of collection.
- You must ensure that personal data is stored no longer than necessary for the purposes for which it was collected.
- You must install appropriate technical and organizational safeguards.
As you can tell, this is an important shift in data collection and processing practices in the European Union that reaches beyond the borders of the EU. If you have any data or customers in the European Union, we can help. Modus Law can analyze your data processes and ensure that you comply with these changes internally and in your publicly available website policies.
For more information on the General Data Protection Regulation (GDPR), or to get a confidential consultation – call (303) 800-1580 or contact us.