On May 25, 2018, the European Union (EU) updated its current data protection directive (circa 1995) and replaced it with a policy called the General Data Protection Regulation (GDPR). This new policy was created to hold companies across the globe more accountable for how they collect, store and share the personal data and information of users. But exactly what is a GDPR policy and how does it affect a US-based company and company website? Most importantly, what does it mean for yours?
In this blog, we will skim the surface (here’s the full policy documentation) on the intricacies of GDPR. This overview can help you and your company ensures compliance, avoiding any fines or other legal trouble.
What is the Purpose of the General Data Protection Regulation?
The purpose of the General Data Protection Regulation is to protect Europeans and their personal data. Basically, the EU wants to make sure that their citizens’ information stays private. To date, GDPR is the firmest and most enforced privacy and security laws that have ever been enacted; if you break them, your company could incur harsh fines up to €20 million or 4% of your global revenue (whichever amount is higher).
The EU defines personal, identifiable data as: “any information that relates to an individual who can be directly or indirectly identified.” Examples include:
- Email address
- Location information
- Biometric data
- Religious beliefs
- Political affiliation
- Web cookies
Do I Need a GDPR Policy on My Website?
If your organization processes the personal data of people in the EU, the short answer is yes. You don’t have to be connected to the EU per se to be subject to this requirement. If you collect, store, transmit, analyze or otherwise handle personal data from people in the EU, you must be in compliance or risk substantial fines.
Of course, there are exceptions. For example, small businesses with fewer than 250 employees may be exempt from record-keeping obligations. You may also be exempt if you don’t conduct any business with people in the EU; however, if they visit your site and you track cookies or IP addresses, you might fall under the scope of the GDPR.
What Does My Website Need to Be GDPR Compliant?
Your GDPR policy should include all these elements:
- What data you collect
- How you collect, use and store the data
- Marketing options
- Users’ data protection rights
- A definition of cookies
- What types of cookies you use
- How users can manage their cookies
- Privacy policies of other websites linked to yours
- How to contact you and the appropriate authorities with a complaint
More to Come
The GDPR is just the beginning of efforts to protect consumer privacy. More regulations are likely, from other countries as well as from our own. In fact, California implemented the California Consumer Privacy Act in 2018, which went into effect in January 2020.
If you have any questions or concerns about your site’s GDPR policy, give us a call. Our experts will be happy to walk you through the requirements and make recommendations, helping you keep your company’s online operations safe and going strong.