Who must comply with the GDPR?
You must comply with the GDPR if you (a) offer products or services to EU citizens, or (b) collect information from EU citizens. This means startups and other businesses in Kansas City may have to comply with the new rules.
Additionally, the GDPR will apply to both Data Controllers and Data Processors:
- “Data Controllers” are the companies that decide how data is collected and used. (This is usually your company.)
- “Data Processors” are the companies that process, collect, store, and maintain, the data. (This is usually a third party, like MailChimp or Google Analytics, but it can be your company in certain situations.)
What data is covered by the GDPR?
The scope of the GDPR is perhaps the most expansive scope of any privacy law in the world. It divides information into two categories:
- “Personal Data” includes any information that can be used to identify an individual. That can include names, email addresses, physical addresses, IP addresses, cookie strings, photos, videos, and more.
- “Sensitive Personal Data” is the same as Personal Data but it includes more sensitive information such as health data, genetic data, sexual orientation, religious or philosophical beliefs, political views, and more.
What are the penalties for non-compliance?
Failing to comply with the GDPR can be very costly. The penalties can be as high as 4% of your worldwide annual revenue or €20 million, whichever is higher.
How do you comply with the GDPR?
There is no way this blog post can provide a thorough GDPR compliance check list. But below is an abbreviated compliance process you might consider as a starting point.
- For Data Controllers:
- You must conduct a Data Privacy Impact Assessment to evaluate what data you collect, how it is protected, and what risks exist with respect to that data.
- When collecting Personal Data:
- You must obtain clear, unambiguous affirmative consent (this can be as simple as the individual typing their email in a box and clicking “Signup”).
- Additionally, you must:
- Be Transparent: Ensure all Personal Data is processed lawfully, fairly, and in a transparent manner.
- Have a Legitimate Purpose: Limit the purpose to specified, explicit, and legitimate purposes.
- Limit Data Collection: Only collect data which is necessary for the above purposes.
- Stay Accurate: Be accurate and keep all of that data up to date.
- Limit Data Retention: Limit data retention to a period which is no longer than necessary for the above purpose (with some archival exceptions).
- Provide Security: Provide appropriate security of that data, including protecting against unauthorized and unlawful processing and against accidental loss, destruction, or damage.
- When collecting Sensitive Personal Data:
- You must obtain explicit consent (this generally requires the individual to check a box that says something like “I agree to the Terms of Service and Privacy Policy” before clicking “Signup”).
- You must also comply with the “additional” requirements above and with additional requirements in the regulations.
- For Data Processors:
- Data Processors must keep written records about how they process the data, maintain appropriate security measures, and notify Data Controllers of data breaches without undue delay.
- When you need a Data Protection Officer:
- If you process Sensitive Personal Data or data relating to criminal matters, are a public authority, or regularly process data at a large scale (like banks), then you must appoint a Data Protection Officers to oversee your GDPR compliance. This can be someone inside of your company or it can be a third-party contractor. The DPO will have additional compliance obligations under the GDPR.