The General Data Protection Regulation (GDPR) went into effect in 2018. This European Union privacy law regulates how data is collected, stored and used. GDPR compliance applies to companies who do business within the EU.
The GDPR is designed to protect consumers from misuse of their personal information, such as names, banking information, credit card numbers and other private details. Failing to comply with these regulations can result in fines of up to €20 million or four percent of the company’s global revenue, whichever is higher.
Compliance involves creating a privacy policy for your company that meets each of the GDPR’s seven key principles.
What is GDPR?
The GDPR applies to all companies doing business within the EU, even if they’re located on other continents. This is because the law aims to protect EU citizens and consumers.
Other countries help enforce the laws through mutual assistance treaties and other agreements, but enforcement authority rests with the EU.
According to one study, which surveyed “7,500 consumers in France, Germany, Italy, the UK and the U.S., 80 percent of consumers said lost banking and financial data is a top concern. Lost security information (e.g., passwords) and identity information (e.g., passports or driving license) was cited as a concern of 76 percent of the respondents.” Worse, 62 percent of the respondents said that they’d blame the company for the data breach—not the hackers themselves.
Data privacy is a serious concern, and not just for consumers. The fight to keep data secure and private is a challenge that gets more difficult over time. The GDPR was designed to give businesses a broad framework for guiding their policies.
The GDPR has seven key principles to guide data collection and use:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Detailed information about these principles can be found in previous blog posts. The key takeaway to remember is that it doesn’t matter where your company is located: if you collect data from European data subjects, you’ll need to ensure you comply with the GDPR rules.
GDPR Compliance in the EU and the US
GDPR compliance is similar in both the EU and United States. The standards for each member state and any countries doing business within them are the same. This makes it easier to set a standard across the board, but businesses will still need to develop a privacy policy to stay compliant.
Here’s a general compliance checklist to consider:
- Determine whether you’re collecting EU personal data: The first thing you need to do is conduct a data audit. Are you collecting personal information from anyone in the EU? If so, you’ll need to comply with the GDPR.
- Inform customers why you’re collecting and processing their data: You’re required to be transparent and honest about how and why you’re collecting consumer data. This may include updating your privacy policy or extra duties, if you process by consent.
- Reconsider your data processing procedures: Next, assess whether your current data security and processing is sufficient. End-to-end security and other organizational safeguards can be helpful. Consider hiring a security firm for a risk management assessment.
- Find out whether you need an EU representative: Certain US companies will need to designate a representative within the EU. Article 27 explains which companies must have a representative, and which are exempt.
- Know what to do if there’s a data breach: Articles 33 and 34 enumerate what a company must do if they discover a data breach. Familiarize yourself with the process before anything goes wrong—and have a system in place to deal with potential issues.
- Consider cross-border transfer law compliance: If you wish to transfer data to non-EU countries, you’ll need to comply with cross-border transfer laws. Article 45 covers this obligation.
Create a GDPR Privacy Policy with SixFifty
Let SixFifty’s privacy toolset take the hard work out of creating your GDPR privacy policy! We use proprietary technology paired with expertise from some of the country’s top attorneys. You don’t need to hire international privacy law experts—all you have to do is answer a few questions for us. Once you’re finished, our software generates a customized GDPR privacy policy. Simply download, then have your legal team review and sign off. It’s the easiest way to stay compliant with ever-changing global laws.
Stay Compliant at All Times
GDPR compliance is key—unless you want to rack up millions of euros in fines, it’s important that you have a policy in place. SixFifty makes it fast and easy to stay in compliance with EU privacy regulations. Within a few clicks, you’ll have everything you need to create a policy—and to keep it updated.
If you’re ready to get started or have further questions, schedule a demo with SixFifty today.