If you’ve done business online in any capacity, you’ve probably gotten a notice, or several, that your software vendor/credit card provider, et al, has a new user privacy policy and/or terms of use. Here’s one from Bluehost that I just received. This has taken place to address the new standards introduced through the General Data Protection Regulation (GDPR), a new European data protection law.
I have blogged about it a few times in our work blog.
Still, what does it MEAN if one is not in the European Union? Specifically, what should an American small business do to become GDPR compliant? It reminds me a little about the fears surrounding Y2K in terms of a lot of concerns but not always a clear course of action.
What I DO know I’ve purloined from various websites:
The GDPR is a new comprehensive data protection law that updates existing EU laws to strengthen the protection of personal data in light of rapid technological developments, the increasingly global nature of business and more complex international flows of personal data. The GDPR replaces the current patchwork of national data protection laws with a single set of rules, directly enforceable in each EU member state. The GDPR takes effect on May 25, 2018.
The GDPR provides EU residents with control over their personal data, such as the right to:
#Access information about how personal data is used – info regarding processing must be provided in a concise, transparent, intelligible and easily accessible form
#Access personal data held by an organization – a company’s processing of personal data must be lawful and where it is based on consent, the consent must be freely given, specific, informed and unambiguous
#Have the purpose for which data is collected be specified, explicit and legitimate
#Have data be processed in a way that ensures appropriate security of the personal data
#Have incorrect personal data deleted or corrected; data must be accurate and kept up-to-date
#Have personal data rectified and erased in certain circumstances (sometimes referred to as the “right to be forgotten”)
#Restrict or object to automated processing of personal data – only data relevant for the purpose laid out can be collected and processed
#Receive a copy of personal data
You can find out more about it by going to the EU GDPR website: www.eugdpr.org. It notes: “The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
I’ve tasked myself to try to figure out how this change would affect small US businesses. If you have more insight, such as a game plan that is NOT written in bureaucratese, PLEASE let me know!