GDPR became effective in May 2018 but it actually has its roots in earlier European policies. The Data Protection Directive enacted in 1995 and even earlier, the Fair Information Practices initiated the process of defining the ways that consumer information should be used. This is very different from the privacy regulations for healthcare, finances and federal communication in the US. GDPR is mandated by law for all individuals within the European Union (EU) and the European Economic Area (EEA).
In response to GDPR, Microsoft has created a privacy dashboard for customers to allow them to manage their personal information. Although not all companies are giving all users the same rights as EU users, most are becoming more transparent with their privacy settings. It is up to the user, however, to wade through privacy legalese and configure settings to assure protection of their privacy. This also means being aware of the risk with location data turned on.
Why businesses in the US need to know about and comply with GDPR
Because GDPR significantly impacts many websites in the US, it is important to understand what it is and what it requires. Otherwise, you will lose access to 500 million people in the EU who want to visit your site and buy from you. Being familiar with the law also provides valuable insights about questions you could and should be asking when it comes to your own data and privacy.
Maybe you’re not particularly worried about customers from the EU but here’s the thing. If someone from the EU is searching for services in your local area in preparation for their visit, do you really want to lose out on that customer’s business?
How to be GDPR compliant
If you are a business serving EU customers, you are required to:
- Disclose what kind of data you are collecting about your users including children if applicable.
- Disclose how personal information is collected and stored.
- Get consent before collecting personal data including name, email and IP address via cookies.
- Stop processing or delete data when requested to do so by the user.
- Report any data breaches within 72 hours to a European agency.
- Notify users directly in the event of a high-risk data breach.
GDPR also recommends pseudonymization of personal data to enhance user privacy by enabling more secure processing of the data. Pseudonymized data involves detaching certain fields/identifiers from the personal data record and replacing sensitive data fields in the record with pseudonyms. This is done to reduce the likelihood that the natural person would be identified from analysis of the data.
If all of this sounds complicated, well it is. But fortunately, there are tools that can automate much of the process of GDPR compliance for the vast majority of companies.