Countries that fall within the EU and are supposed to follow the guidelines presented by GDPR. But even if you may do most of your business in the US, it’s always better to be safe than sorry when it comes to your business.
We know the whole idea of the GDPR can be overwhelming and confusing, so read on for a simple breakdown of the act so you can keep your business protected.
What is the GDPR?
The General Data Protection Regulation was created by the European Union, and went into effect on May 25, 2018.
The GDPR aims to: “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
The GDPR applies to anyone who collects and/or processes personal data.
What is Personal Data?
Personal data is characterized as any information that identifies a living individual effectively.
Some examples include:
- Email address
- Phone number
- Home address
- Identification card number
- IP address
- Cookie ID
Consequences of Violating the GDPR
To put the consequences of violating the GDPR into perspective, if you violate any of the laws put forth by the act, you could be subject to up to $20 million in fines, or 4% of your worldwide turnover from the year.
For example, Facebook’s fines could be up to $109 billion for their breach of privacy.
The good news is unless you’re processing large amounts of data (like Facebook was), you’re at a lower risk of getting caught for not being compliant. But whether or not you get caught is left up to chance — staying in compliance so you don’t have to worry about it is in your control.
The biggest loss for most people if they violate the laws of the GDPR is reputational damage. You could potentially lose your clients because of an illegal use or distribution of their data.
How to Stay GDPR Compliant
In order to stay compliant within the GDPR, you must follow 8 Data Protection Principles when collecting data:
Principle 1: Lawfulness, fairness and transparency
- You must obtain the data lawfully. You have to maintain legal basis to process the data.
- You must obtain the data fairly, meaning what you process must match up with how it has been described.
Principle 2: Purpose Limitation
- You must be very clear about the purpose of obtaining the data and keep data collection to a minimum.
- Basically, if you don’t need the data, then don’t ask for it.
Principle 3: Relevance
- Data should be adequate and relevant, so only take data that is necessary for the purpose outlined.
Principle 4: Accuracy
- Your data must be accurate. If a bounce occurs, delete the inaccurate data.
Principle 5: Storage Limitation
- You cannot keep data longer than required for your purpose. So for example, if you collect someone’s email address for a campaign lasting a month, you can only store their data for the length of the campaign.
- Practice good list hygiene by removing old data to keep your list up to date.
Principle 6: Processing
- Personal data must be processed in accordance with the rights of the data subjects. You have to have lawful ground to process data.
There are 6 ways to obtain this lawful ground:
The user has given you consent to process their data.
- Processing is necessary with a contract, so if someone has entered into a contract with you, you have lawful ground to process their data.
- If processing is required with legal obligations, then you have lawful ground. For example, an employer asking for their employees’ social security details is necessary for taxes, so the employer has lawful ground for processing that data.
- You have lawful ground to process someone’s data if you have a reason to believe they would have legitimate interest in your product or service. For example, you can market to existing customers if you think they would benefit in some way. You are taking responsibility for that decision, so be careful. You must include an opt out and you must market to them in a reasonable amount of time.
- Public authorities and organizations have lawful ground to process data in the name of public interest.
- You have lawful ground to process data if it is in the vital interest of the person. For example, a hospital does not need consent to search for a patient’s ID after a serious accident in order to provide treatment.
Principle 7: Security Measures
- Your data must be kept safe. You have to be sure that someone cannot hack your database and steal the personal data.
Principle 8: Transfers
- Personal data can’t be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures adequate protection for the rights and freedoms of data subjects.
Facebook Advertising: Staying Compliant with the GDPR
In the case of Facebook advertising, Facebook is the data processor and controller. To stay compliant with the GDPR, Facebook needs to acquire lawful ground for processing the data it collects.
As soon as you take the data off of Facebook’s platform and do something else with it, like adding a contact to your email list, you become the data controller and would need to acquire lawful ground for its use.
In most cases, you would probably be able to rely on “legitimate interest” as the legal grounds for acquiring and using this data.
Anytime pixels are used on your site, you must make the user aware when they land on your site.
This popup is a great way to cover your behind when it comes to the GDPR. Although you may not think you get website visitors from the EU, chances are you’ve gotten at least one in your website’s lifetime.
Like we said before, better safe than sorry.
In the pop up, you must include:
- What pixels are being used on your site
- Any other information about how you are using the user’s personal data
These all fall under Principle 1: Transparency. Be transparent about what you are doing with the data, and you won’t run into any issues.
We know that all of that information can be a lot to handle.
Do you have questions about your website and want to make sure it’s up to date with these new regulations? Contact us today and we’ll make sure you are compliant or help you get there if you’re not >