Have you received a ton of privacy update messages this week? GDPR is why.
The European Union General Data Protection Regulation came in to effect Friday. Two weeks ago, my column, “GDPR and What it Means for U.S. Companies” shared some insights into why this new European law will impact companies in the United States.
As you’ve undoubtedly seen over the last week it impacts you too. Everyone I talked to this week commented on the marked increase in email messages received about updated privacy policies and to confirm existing email subscriptions. You can thank GDPR. Many companies are sending these updates to all of their customers, regardless what country they are nationals of or residing in, to be in compliance with GDPR.
One key provision of GDPR is clearly communicating your data privacy and retention policies to people who register with your website. Some sites consider these new requirements so ominous they have chosen to shut down out of fear of not being able to comply. If a website asks you to register to login or receive email communication, it is likely collecting enough information to be governed by GDPR. The new law requires companies that collect personal information to make it clear to those people exactly what information is being collected and stored. In addition, the individual has the right to request that information be purged from the company’s databases. The individual may also request to know what data the company has stored about them at any time. In other words, you have the right to be forgotten at your request.
Companies that collect this type of data are required to have a data protection officer or DPO. Part of the DPO’s responsibility involves ensuring personal data is removed from company systems once it is no longer needed. They are also responsible for processes that will remove personal data of anyone who requests it be removed. The DPO is basically charged with making sure your business practices comply with GDPR.
Another key part of the law is that you may only send email communication to individuals who request it. That is why many of the email messages sent over the last week ask you to take steps to reconfirm you want to receive email from the company. Some state right up front that you will no longer receive emails unless you go to the company website and in effect re-subscribe to receive email subscriptions you may have been getting for years.
This is why you’ve been seeing a flood of emails about privacy policies and email subscription leading up to Friday, May 25. Now that the law is in place, it will be interesting to see what may change over the weeks and months ahead. There is a lot of concern about hefty fines GDPR allows to be levied against violators. In my opinion, there is still a lot of education and awareness training that must take place before fining a company. As evidenced by the uptick in privacy and email update messages, many companies are scrambling at the last minute to do what they think they need to. That’s the fault of the company for sure, but I hope any infractions will be dealt with fairly and reasonably and not just resorting to the letter of the law when it comes to financial penalties. Certainly, everyone is hoping GDPR and other laws like it help drive a culture of protection of personal information and better overall security across the board.
If you are a U.S.-based company doing business in the EU, employing citizens of the EU or foreigners residing in EU countries you need to be sure you are in compliance. GDPR is here, are you compliant?