This spring the European Union rolled out a privacy law known as the General Data Protection Regulation. The regulation sets a new global standard for individual data collection, use, and protection. It’s shifting the paradigm on the way personal data is handled, and all business owners should take note. If you have an employee or customer base in the EU, you must make sure you are in compliance or risk heavy fines and a legal hot mess. Even if you don’t have contacts in the EU, GDPR signals it’s time for you to reconsider any personal data you collect and to assess its security.
What Kind of Personal Data Are We Talking About?
Most everything. The data that is included in GDPR is very broad. According to the policies, personal data is any information that relates to an actual living individual. This can include your name, home address, email address, phone number, or even location data from your mobile device.
A New Global Standard
It’s important to understand the driving principles of the GDPR legislation. Whether you have customers in the EU or not, these principles are now setting the standard. All companies can check themselves against these practices when collecting any personal data on employees, clients, or potential customers.
GDPR Guiding Principles:
Companies may only collect personal data for a very clearly defined legitimate purpose. They may not use personal data for a purpose that it was not intended. A company may not collect more data than is needed for the purpose it is intended. Example – If you are delivering pizzas, you can ask for a home address but not the marital status of your customer.
Giving individuals control of their privacy is a guiding principle of the GDPR legislation. Along with establishing consent (above), individuals must be given the ability to access and view data and to delete it if they so choose.
Companies must secure the personal data they are collecting and processing. If a data breach occurs, you must notify individuals within 72 hours of being informed of the breach. Gone are the days of notifying customers months and years after a breach.
Length of Storage
Data should only be kept as long as it is legitimately needed for its intended purpose. Example – If you keep employee data, you must purge the information when you no longer have an employment or legal relationship with an individual. Similarly, customer data should be purged at the end of a contractual relationship.
The GDPR was seven years in the making, and its guiding principles make good business sense. Companies who adopt these principles stand to strengthen trust with customers. They will be better positioned to compete in a marketplace that is being required to take more responsibility for data privacy and security.
We are currently helping Bellaworks clients comply with GDPR, and we keep up with the latest standards in security. Talk with us about how we can help your company.