It probably does.
Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.
In a nutshell, you may not rely on this as legal advice, or as a recommendation of any particular legal understanding.
GDPR has been around for about two years now, but in late May 2018, it will begin being enforced. Microsoft did a great article to help explain what it is, located here. In short:
The new General Data Protection Regulation (GDPR) is the most significant change to European Union (EU) privacy law in two decades. The GDPR requires that organizations respect and protect personal data – no matter where it is sent, processed or stored. Complying with the GDPR will not be easy. To simplify your path to compliance, Microsoft is committing to be GDPR compliant across our cloud services when enforcement begins on May 25, 2018.
Currently, the regulations are a bit vague on what they mean, but here is what they are trying to accomplish:
- Protecting any European Union national’s personally identifying information from malicious use
- Protecting the “right to be forgotten”
- Protecting the “right to request data”
- Become a HIPAA-like standard for data-handling
Here are some examples outlined by Sue Weaver, http://wpmeetup.susanweaver.net/gdpr/, that help identify how you might need to make your business compliant:
Collecting email addresses for a newsletter or marketing list (“firstname.lastname@example.org” is personal, “email@example.com” is not considered personal)
Having a shopping cart installed for taking orders
Using Google Analytics to analyze website traffic (IP addresses used)
Having comments turned on for pages/posts on your website, etc.
Storing photos of people (would apply to wedding photographers, membership sites – like Facebook)
If you fall into any of these categories, you may need to look at how to comply with GDPR regulations of data management, request for deletion and more.
But why is this important?
Mostly because of the fines. According to https://www.gdpr.associates/data-breach-penalties/:
There will be two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation.
It is unlikely that the EU will go after smaller companies. It appears that this is geared towards punishing larger corporations. However, there is a strong likelihood that America will follow suit with our own GDPR style regulations for personal data protection.
How do I become GDPR compliant?
Here are some elements identified by Sue Weaver,
- Auditing Personal Data You Collect
- Cookies Policy
- Process for Data Deletion Requests
- Signed Processor Agreement
- Update your Business Insurance Policy
We can also help you become GDPR compliant by calling us at (509) 240-9735 or use our contact form and we at Pullman Marketing would love to help you through this process.