The Deal With GDPR

If you have not yet investigated the new General Data Protection Regulations (GDPR) and have not yet conducted an inventory of what personal data your website or business processes, you may be behind the “GDPR curve”. This curve is the sweeping spread of businesses looking into data processing, storing, retrieval, and the modification of current practices. 

What is the GDPR?

In case you haven’t heard about the GDPR yet, it is a set of data regulations implemented by the EU:

GDPR= General Data Protection Regulations

What this means is that there are now laws in place to protect the privacy and processing of personally identifiable data or PII. Let’s break this down.

The regulation contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union. Business processes that handle personal data must be built with privacy by design and by default, meaning that personal data must be stored using pseudonymization or full anonymization.

It is also expected that a business uses the highest-possible privacy settings by default so that the data is not available publicly without explicit consent and cannot be used to identify a subject without additional information stored separately.

A processor of personal data must clearly disclose what data is being collected and how, why it is being processed, how long it is being retained, and if it is being shared with any third-parties. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances.

It was adopted on April 14, 2016, and after a two-year transition period, became enforceable on May 25, 2018.

What does this mean for businesses in the United States?

While the specific GDPR policy wasn’t put into place in the United States, it is already having an impact on how Americans treat and process data. Data privacy concerns are here to stay and the fact that GDPR is being enforced on the other side of the Atlantic does not leave the US immune to its effects. In fact, California recently passed a strict data privacy law which will put more control in the hands of consumers regarding their personal data in a similar fashion to the regulations stated by the GDPR.

More importantly, companies around the world that fall under GDPR and are found to be non-compliant can risk getting fined up to €10 million, or 2% of their worldwide annual revenue of the prior financial year, whichever is higher. While the amount of the fine is based on a number of infringement criteria, this may not offer much relief considering the maximum amount of fines possible.

What is Global Reach doing about GDPR?

In anticipation of all these changes, Global Reach has already begun taking the necessary steps to ensure that our clients can make their websites GDPR compliant. 

However, it is important to note that there is a very important distinction to be made between being GDPR compliant as a whole and making a website GDPR compliant. We encourage you to seek legal counsel to assess whether you need to be GDPR compliant or not.  In the event, you need to be compliant or in the event, you simply want to ensure that your website does not violate any data privacy regulations, we encourage you to reach out to Global Reach to begin the process to make your website GDPR compliant. Here’s how we can help you to do just that:

1. We can perform an audit of your website to identify and document what personal information is processed and via what means (e.g. cookies, submission forms, tracking codes, etc.). This will allow us to discuss with you ways with which these issues can be addressed. 
2. The Global Reach Website Privacy Policy is GDPR-compliant. You are free to copy and adapt it for your needs, but do not forget that having a GDPR-compliant privacy policy without the right procedures in place to enforce it, is not sufficient. We, therefore, suggest that you finalize your Website Privacy Policy with your Legal Department.
3. Our Submission Forms module, which is used to create an online submission form, provides the ability to encrypt personal data that is captured online. During the audit, we will identify and document any and all such data and decide what actions need to be taken to encrypt it. 
4. In addition to encrypting personal data captured via any online forms, we can also add a consent confirmation to all submission forms on your website the same way we have implemented it on the Global Reach Contact Us page.

We hope this information has been helpful and we encourage you to reach out with any questions you may have, or visit our website for more information on GDPR.