The General Data Protection Regulation (GDPR) is the biggest overhaul of EU data protection law in more than 20 years. It replaces the current EU Data Protection Directive and aims to create unified data protection legislation covering all individuals in the European Union. It will take effect on May 25, 2018.
GDPR is designed to increase the protection of personal data for all EU residents regardless of where it is collected or stored. The extraterritorial nature of the regulation will be felt globally, because all companies that capture data of EU residents will be required to comply with the legislation. Do you have customers in the European Union ? Then you will have to comply with the GDPR.
The application of this law to your business will be determined by what, if any, personal information you collect from your members/surfers.
“Personal data” is defined in the GDPR as any information relating to an person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
So in many cases online identifiers including IP address, cookies and so forth will now be regarded as personal data if they can be (or are capable of being) without undue effort linked back to the data subject.
Does your site request information of your members and or surfers that can be classified as personal ?
If you are concerned that your billing company or processor requests this information – be aware they will have to comply with the GDPR. If you do not request information from your surfers or members then you probably do not need to concern yourself with compliance. However, even if you collect email address through an online form, that may be considered personal data. A person’s online identity can also be considered personal data. For example, I am known as “pornlaw” on many social media accounts. It would not be difficult to identify me solely from that name so therefore, that would be considered personal data under the GDPR. What exactly is personal data is a complex question with no real answers at this point.
However, here is more information on personal data or identifiers —
So now that you have decided that you do indeed collect personal data from your surfers/members – how do you come into compliance by May 25, 2018. Take a look at this infograph from the Information Commissioners Office in the UK;
You can download a full copy of their “Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now” here…
This is an excellent straight forward, albeit lengthy (11 pages), explanation of how to be compliant with the GDPR.
Are you confused ? A lot of people are. But are you ready to be compliant by May 25, 2018?