GDPR has been a hot topic for the past year. On May 25 2018, your business will most likely be affected by the new General Data Protection Regulation (“GDPR”). Despite having been introduced in the European Union, it has an extraterritorial impact and addresses the export of personal data outside the European Union and European Economic Areas.
Any company and individual that processes, uses, stores, and has access to the personal data of individuals in the EU and EEA is responsible for taking appropriate organizational and technical measures and is responsible for its protection. In terms of GDPR, personal information includes an individual’s name, phone, email, address, location data, habits, username, and other personally identifiable data. The GDPR protects any individual that resides in the European Union and the European Economic Areas.
Any company and individual is responsible to comply with GDPR, if it offers goods and services to individuals residing in the affected territories. That said, if your website offers goods and services to individuals globally, or if your website is translated into one of the European language, offers international or EU delivery, collects data and analyses personal behavior of EU and EEA users, then you are the responsible entity. Be sure that you comply with the GDPR as the sanctions are extremely high. The regulatory authorities may impose a written warning in case of first and unintentional non-compliance. Furthermore, the monetary sanctions can be implied with a fine of up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in the case of an enterprise, whichever is greater.
In order to be compliant with the GDPR, each company or individual are required to comply with certain important provisions and guarantees:
- any user has the right to request erasure of personal data;
- an explicit written consent has to be received from individuals for the purpose of collecting and processing personal data;
- a company has to appoint a Data Protection Officer responsible for compliance with the GDPR;
- in case of any breach, the regulator and users have to be informed of such a violation within 72 hours;
- new internal rules on data protection have to be introduced in the company;
- a user may request for a copy of his/her personal information in machine-readable form;
- new rules on children protection are introduced.