The GDPR (EU) 2016/679 regulations go into effect May 25, 2018. Is your business ready?
By Lauretta Shokler | Published June 18, 2018
What is GDPR?
The General Data Protection Regulation (GDPR) is an European Union (EU) law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU and gives individuals in marketing databases more control and transparency over how their information is used and collected.
Does this Even Apply to My Business?
Yes! In some ways, it applies to all businesses, but for now the biggest risks are on businesses that have clients in or who market to consumers in the EU. Since most US-based businesses primarily would collect personal data from consumers in the EU online, your company website is a key area to consider. Certainly businesses in the hospitality, travel, software services and e-commerce industries will want to take a close look at their risks.
For example, if your website intentionally targets consumers in the EU (i.e. written in a native EU language, uses an EU countries’ Top Level Domain, accepts EU currency, or references the EU or it’s members) then you will definitely want to learn more about these regulations. If your site does not target consumers in the EU or it only targets B2B clients, then your business would not be required to comply. Also, if you already follow existing data security standards such as PCI DSS, ISO 27001, NIST, then the new changes needed would be fairly minor.
All that said, many industry leaders believe similar privacy rules could be coming soon for businesses that focus on the US. Also, GDPR regulations are mostly rules your customers and prospects want and expect anyway, so that means smart companies like yours should take this opportunity to learn more about GDPR and implement steps to improve the privacy of their data.
What Do I Need to Do Right Now?
What you need to do depends on whether your business is covered by the GDPR regulations:
- If your business is not covered under the GDPR, then you’re most immediate decision will be how to handle your website analytics data, if you have an account collecting data on site visitors. Google has implemented new data retention controls in their Google Analytics software that allow you to control how data is managed. Unless you choose to change the default settings, on May 25, 2018 the following changes will take affect:
- Any user and event data that is older than 26 months will be marked for permanent deletion, and will no longer be accessible in Google Analytics.
- Deletion will affect the use of segmentation, some custom reports and secondary dimensions when applied in date ranges older than 26 months.
- Reports based on aggregated data will not be affected.
Leaving Google’s default setting will insure your analytic data is within compliance of the GDPR. If your client base is not impacted by the new rules and you want to retain your data longer or indefinitely, here are quick easy Instructions from Google on how to do that.
- If your business is covered under the GDPR regulations, then you may need to make a number of changes related to how personal data is collected, stored and utilized. For example, you may need to complete a full data audit, adjust online marketing forms to obtain explicit consent, and build protocols to comply with the new GDPR 72-hour breach notification rule.
Osky Blue encourages clients to review the full regulations to determine their GDPR status and risks. Learn more about GDPR and how to become compliant today: