Is your business ready for the European Union's strictest -- and newest -- data protection law, the GDPR?
Even if your business is in Singapore, Australia, or anywhere outside the EU, the GDPR may still apply to you. And it comes into effect on 25 May this year.
Here's our guide on the basics of GDPR, why it applies outside the EU, and how it affects common web practices.
Use the table of contents to skip sections.
The GDPR (General Data Protection Regulation) is a data protection legal framework. It protects EU residents by dictating how personal data is collected, stored, and used. It also gives individuals significant control over their personal data.
With recent breaches in personal data, like Facebook and Cambridge Analytica incident, the GDPR comes as a timely solution.
Personal data: Any information that can be used to identify someone, either directly or indirectly. Some examples include name, email address, IP addresses, cookies, financial details, and location data.
Cookies/IP addresses & GDPR: Every website (and blog) rely on cookies that gather user information to function correctly and securely. Some of this information includes location data and IP addresses, which can potentially be used to identify a person (i.e. personal data).
As such, the GDPR applies to websites that get EU visitors as well.
Opt-in Forms & GDPR: Likewise, almost every website and blog display opt-in forms for newsletters, service subscriptions, and more. The GDPR considers a person's name, contact information, address, credit card details, and more, personal data.
The later section will show examples of GDPR compliance relating to common website elements.
Operating your business or website outside of the EU? The GDPR still matters.
So long as your business (or organisation) holds personal data of EU residents, you have to adhere to the GDPR’s strict requirements.
This includes personal data collected when someone from the EU:
To find out if the GDPR applies to your organisation, answer these three questions.
The deadline for GDPR compliance is May 25, 2018.
This data protection law prescribes hefty fines of up to 4% of a business's global revenue 0r €20 million (whichever is higher).
Moreover, businesses that don't follow data protection best-practices, which the GDPR extensively covers, stand to lose their customers' trust (hint: Cambridge Analytica and Facebook).
So... your business already complies with Singapore’s Personal Data Protection Act (PDPA). What else is there to do?
How is the GDPR any different?
The PDPA is limited in scope and lacks individual rights to personal data, like other data protection laws in the APAC region.
Conversely, the GDPR gives EU residents control over their personal data. It also dictates strict notification procedures in the event of a data breach.
Continue reading for the plain English summary of the 88-page original GDPR framework (dry technical legalities). Do note that this is not an official EU Commission or government resource and doesn't constitute legal advice.
Your business has to get explicit consent to collect and use personal data from an individual in the EU. The individual cannot be under the age of 16.
Consent must be:
In other words, if you've collected personal data for the express purpose of billing, you're not allowed to use the personal data for marketing purposes. To do that, you have to seek consent separately.
The GDPR give individuals the rights to:
Businesses/organisations, whose operations involve regular monitoring of individuals and/or processing sensitive personal data, have to appoint a data protection officer.
Please approach a GDPR consultant for further advice.
People shouldn't have to jump through hoops to get stricter privacy practices (or settings). The GDPR requires the strictest privacy by default.
In the same vein, a business/organisation should take measures to collect and process data that is only necessary for the permitted purpose.
If a personal data breach does occur, the business/organisation must notify the relevant supervisory authority within 72 hours.
Also, if the breach poses a high risk to the rights and freedoms of the individual, the business/organisation has to notify those individuals promptly.
Implementing the changes to be compliant with GDPR is extensive (88 pages of technicalities). You will have to audit your organisation's data collection and processing processes.
Because each business/organisation differs in operations and extent of data processing, there isn't a one-size-fits-all solution to GDPR compliance.
Hence, consider engaging a GDPR consultant or legal expert if your organisation caters to the global or EU market.
If you're just getting started, your business will unlikely be fully compliant with GDPR by 25 May. However, basic compliance is better than none. Work towards being fully compliant eventually.
Make sure your staff and colleagues are aware of the basics of GDPR. Doing so would give each department an idea of what they have to do.
[caption id="attachment_8539" align="aligncenter" width="1024"] Staff awareness is the first step to GDPR compliance.[/caption]
Send our GDPR guide to staff members easily right now... (continue reading the next point below)
[cta id="8522" vid="0"]
Write your privacy policy in plain language. The information you provide has to be concise, transparent, and easily accessible.
[caption id="attachment_8425" align="aligncenter" width="1024"] Example: The University of Edinburgh's privacy policy is transparent with all matters of user privacy.[/caption]
Explain the following:
For more information on setting up your privacy policy, refer to GDPR Framework's privacy policy resource.
Tip for WordPress users:
If you're using WordPress to run your website/blog, use The GDPR Framework plugin as it contains a GDPR-compliant privacy policy template. The template also covers cookies and Google Analytics. Please make sure to edit the template.
When collecting and processing personal data, all sign-up and subscription forms (e.g. email newsletter, service subscription) must adhere to these standards:
[gallery link="none" columns="4" ids="eyJ1cmwiOiJodHRwczpcL1wvYmxvZy52b2RpZW4uY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDE4XC8wNVwvTmFtZWQtUGFydGllcy1lMTUyNTgzNDYwOTM3NS5wbmciLCJ0aXRsZSI6Ik5hbWVkIFBhcnRpZXMiLCJjYXB0aW9uIjoiIiwiYWx0IjoiIiwiZGVzY3JpcHRpb24iOiIifQ==,eyJ1cmwiOiJodHRwczpcL1wvYmxvZy52b2RpZW4uY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDE4XC8wNVwvVW5idW5kbGVkLnBuZyIsInRpdGxlIjoiVW5idW5kbGVkIiwiY2FwdGlvbiI6IiIsImFsdCI6IiIsImRlc2NyaXB0aW9uIjoiIn0=,eyJ1cmwiOiJodHRwczpcL1wvYmxvZy52b2RpZW4uY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDE4XC8wNVwvRGVsbC1TY3JlZW5zaG90LWUxNTI1ODMzNjk5MTUwLnBuZyIsInRpdGxlIjoiTmVnYXRpdmUgZXhhbXBsZTogQ29uc2VudCBjYW5ub3QgYmUgcHJlLXRpY2tlZC4gKEdEUFIpIiwiY2FwdGlvbiI6IiIsImFsdCI6Ik5lZ2F0aXZlIGV4YW1wbGU6IENvbnNlbnQgY2Fubm90IGJlIHByZS10aWNrZWQuIChHRFBSKSIsImRlc2NyaXB0aW9uIjoiIn0=,eyJ1cmwiOiJodHRwczpcL1wvYmxvZy52b2RpZW4uY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDE4XC8wNVwvQ2lzdG9yLUdyYW51bGFyLWUxNTI1Nzc3MDg3MjQwLnBuZyIsInRpdGxlIjoiQ2lzdG9yIC0gR3JhbnVsYXIiLCJjYXB0aW9uIjoiIiwiYWx0IjoiIiwiZGVzY3JpcHRpb24iOiIifQ=="]
Active opt-in: “No” (or unticked) must be the default. Silent or soft opt-in are invalid forms of consent under GDPR (see the below example). Users must expressly opt-in to consent.
[caption id="attachment_8402" align="aligncenter" width="548"] Negative example: Consent cannot be pre-ticked.[/caption]
Unbundled: Ask for consent for non-essential communications (e.g. promotional emails) separately. Bundling mailing list consent with the terms and conditions is invalid under GDPR. Moreover, it should not be a prerequisite of signing up unless necessary for the service.
[caption id="attachment_8403" align="aligncenter" width="700"] Example: GDPR requires consent to be separate (unbundled)[/caption]
Granular: Different uses of personal data requires separate consent.
[caption id="attachment_8401" align="aligncenter" width="638"] Example: Separate consent is gotten for email and telephone communications[/caption]
Easy withdrawal of consent: Inform the user that they have the right to withdraw their consent at any time and explain the procedure to do this. The process to withdraw consent must be simple.
[caption id="attachment_8551" align="aligncenter" width="760"] Example: Uniqlo lets its users unsubscribe from promotional emails easily.[/caption]
Disclaimer: This is not an official EU Commission or government resource. Nothing in this article constitutes legal advice. Anyone who intends to rely on the information is solely responsible for verifying the information and obtaining independent expert advice if needed.
[cta id="8519" vid="0"]
Other Stuff