Collect Customer or Employee Data? You Need to Know About the EU’s New Privacy Law – GDPR

This spring the European Union rolled out a privacy law known as the General Data Protection Regulation.  The regulation sets a new global standard for individual data collection, use, and protection.  It’s shifting the paradigm on the way personal data is handled, and all business owners should take note. If you have an employee or customer base in the EU, you must make sure you are in compliance or risk heavy fines and a legal hot mess.  Even if you don’t have contacts in the EU, GDPR signals it’s time for you to reconsider any personal data you collect and to assess its security.

What Kind of Personal Data Are We Talking About?

Most everything.  The data that is included in GDPR is very broad. According to the policies, personal data is any information that relates to an actual living individual.  This can include your name, home address, email address, phone number, or even location data from your mobile device.

A New Global Standard

It’s important to understand the driving principles of the GDPR legislation.  Whether you have customers in the EU or not, these principles are now setting the standard.  All companies can check themselves against these practices when collecting any personal data on employees, clients, or potential customers.

GDPR Guiding Principles:

Legitimate Interest

Companies may only collect personal data for a very clearly defined legitimate purpose.  They may not use personal data for a purpose that it was not intended.  A company may not collect more data than is needed for the purpose it is intended.  Example – If you are delivering pizzas, you can ask for a home address but not the marital status of your customer.

Consent

Individuals must be told when companies are collecting their data, and they should be allowed control over giving access to their data.  Example – If a company’s website uses cookies to track online activities of customers, this must be disclosed and permission must be obtained.

Individual Control

Giving individuals control of their privacy is a guiding principle of the GDPR legislation.  Along with establishing consent (above), individuals must be given the ability to access and view data and to delete it if they so choose.

Data Security

Companies must secure the personal data they are collecting and processing.  If a data breach occurs, you must notify individuals within 72 hours of being informed of the breach.  Gone are the days of notifying customers months and years after a breach.

Length of Storage

Data should only be kept as long as it is legitimately needed for its intended purpose.  Example – If you keep employee data, you must purge the information when you no longer have an employment or legal relationship with an individual.  Similarly, customer data should be purged at the end of a contractual relationship.

The GDPR was seven years in the making, and its guiding principles make good business sense.  Companies who adopt these principles stand to strengthen trust with customers.  They will be better positioned to compete in a marketplace that is being required to take more responsibility for data privacy and security.

We are currently helping Bellaworks clients comply with GDPR, and we keep up with the latest standards in security.  Talk with us about how we can help your company.