GDPR: What You Need to Know to Stay Compliant

By now, you’re probably sick of hearing about the GDPR, or the General Data Protection Regulation. Because if you’re an American business, you probably think it doesn’t apply to you. 

Countries that fall within the EU and are supposed to follow the guidelines presented by GDPR. But even if you may do most of your business in the US, it’s always better to be safe than sorry when it comes to your business. 

We know the whole idea of the GDPR can be overwhelming and confusing, so read on for a simple breakdown of the act so you can keep your business protected. 

What is the GDPR?

The General Data Protection Regulation was created by the European Union, and went into effect on May 25, 2018. 

The GDPR aims to: “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” 

The GDPR applies to anyone who collects and/or processes personal data. 

What is Personal Data?

Personal data is characterized as any information that identifies a living individual effectively. 

Some examples include:

• Name
• Email address
• Phone number 
• Home address
• Identification card number
• IP address
• Cookie ID

Consequences of Violating the GDPR

To put the consequences of violating the GDPR into perspective, if you violate any of the laws put forth by the act, you could be subject to up to $20 million in fines, or 4% of your worldwide turnover from the year. 

For example, Facebook’s fines could be up to $109 billion for their breach of privacy. 

The good news is unless you’re processing large amounts of data (like Facebook was), you’re at a lower risk of getting caught for not being compliant. But whether or not you get caught is left up to chance — staying in compliance so you don’t have to worry about it is in your control. 

The biggest loss for most people if they violate the laws of the GDPR is reputational damage. You could potentially lose your clients because of an illegal use or distribution of their data. 

How to Stay GDPR Compliant 

In order to stay compliant within the GDPR, you must follow 8 Data Protection Principles when collecting data:

Principle 1: Lawfulness, fairness and transparency

• You must obtain the data lawfully. You have to maintain legal basis to process the data. 
• You must obtain the data fairly, meaning what you process must match up with how it has been described.
• You must be transparent about what you will do with data by providing a link to the Privacy Policy and Terms and Conditions at the time of data collection, and by telling people exactly what you plan to do with the data so that users can make an informed decision. 
• Your Privacy Policy and Terms and Conditions pages should be easily accessible on your website, and should include very clear information about how you use the data collected. 

Principle 2: Purpose Limitation

• You must be very clear about the purpose of obtaining the data and keep data collection to a minimum. 
• Basically, if you don’t need the data, then don’t ask for it. 

Principle 3: Relevance

• Data should be adequate and relevant, so only take data that is necessary for the purpose outlined.

Principle 4: Accuracy

• Your data must be accurate. If a bounce occurs, delete the inaccurate data. 

Principle 5: Storage Limitation

• You cannot keep data longer than required for your purpose. So for example, if you collect someone’s email address for a campaign lasting a month, you can only store their data for the length of the campaign. 
• Practice good list hygiene by removing old data to keep your list up to date.

Principle 6: Processing

• Personal data must be processed in accordance with the rights of the data subjects. You have to have lawful ground to process data. 

There are 6 ways to obtain this lawful ground: 

The user has given you consent to process their data. 

1. Processing is necessary with a contract, so if someone has entered into a contract with you, you have lawful ground to process their data. 
2. If processing is required with legal obligations, then you have lawful ground. For example, an employer asking for their employees’ social security details is necessary for taxes, so the employer has lawful ground for processing that data. 
3. You have lawful ground to process someone’s data if you have a reason to believe they would have legitimate interest in your product or service. For example, you can market to existing customers if you think they would benefit in some way. You are taking responsibility for that decision, so be careful. You must include an opt out and you must market to them in a reasonable amount of time.  
4. Public authorities and organizations have lawful ground to process data in the name of public interest. 
5. You have lawful ground to process data if it is in the vital interest of the person. For example, a hospital does not need consent to search for a patient’s ID after a serious accident in order to provide treatment.

Principle 7: Security Measures

• Your data must be kept safe. You have to be sure that someone cannot hack your database and steal the personal data. 

Principle 8: Transfers

• Personal data can’t be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures adequate protection for the rights and freedoms of data subjects.

Facebook Advertising: Staying Compliant with the GDPR

In the case of Facebook advertising, Facebook is the data processor and controller. To stay compliant with the GDPR, Facebook needs to acquire lawful ground for processing the data it collects. 

As soon as you take the data off of Facebook’s platform and do something else with it, like adding a contact to your email list, you become the data controller and would need to acquire lawful ground for its use.

In most cases, you would probably be able to rely on “legitimate interest” as the legal grounds for acquiring and using this data.

If you partake in Facebook advertising, you need to have a clause in your privacy policy that states this use. If someone opts out of your email list, they need to be opted out of Facebook advertising as well. 

Advertising Pixels

Anytime pixels are used on your site, you must make the user aware when they land on your site. 

By now, you’ve probably seen the little popup on a lot of sites that alerts you of the cookie policy:

 

Image via: https://www.jqueryscript.net/other/Simple-EU-Cookie-Law-Notice-Popup-Plugin-With-jQuery-Qookies.html

This popup is a great way to cover your behind when it comes to the GDPR. Although you may not think you get website visitors from the EU, chances are you’ve gotten at least one in your website’s lifetime. 

Like we said before, better safe than sorry. 

In the pop up, you must include:

• What pixels are being used on your site
• A link to your cookie policy (normally included in your Privacy Policy), which tells the user what cookies are being used on the site
• Any other information about how you are using the user’s personal data

These all fall under Principle 1: Transparency. Be transparent about what you are doing with the data, and you won’t run into any issues. 

We know that all of that information can be a lot to handle. 

Do you have questions about your website and want to make sure it’s up to date with these new regulations? Contact us today and we’ll make sure you are compliant or help you get there if you’re not >