HIPAA, OSHA, SOX, PCI – almost every industry has some form of data or physical protection policy. And, it’s for a good reason. These policies are in place to defend people and their rights to share — or not share — information. But, what about online? How is your data protected, and what are your rights?
These legislations have included the Children’s Online Privacy Protection Act (COPPA), Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA) mentioned earlier. But, until California’s Online Privacy Protection Act (CalOPPA), none of these legislations completely protected the data provided online.
But, there is one thing you should know before scrambling to find out how to protect your business: the GDPR only applies to EU and UK residents. So, why should businesses from the United States — for lack of a better word — care?
There is one particular article within the GDPR that may impact businesses outside the EU. Article 3 outlines the territorial scope of the GDPR and states that any business targeting Union residents must adhere to the regulations outlined. This includes any information collected while monitoring Union residents.
The Internet is a vast space for people from all over the world to visit your website. While you may not necessarily be targeting residents of the EU, there is a chance that a resident from the Union will use your site and you may inevitably collect the information from that visit. What then? Will you receive a hefty noncompliance fine? The answer is likely no, but using GDPR as a base for privacy protection is the best way to keep your business safe.
Best Practices for Privacy Policies and GDPR Compliance
- Providing opt-ins for information collected
- Allowing visitors to request the information you have about them
- Allowing visitors to edit/update the information you have about them – as long as it doesn’t impact administrative requirements
- Allowing visitors to delete any information you have about them – as long as it doesn’t impact administrative requirements
- Allowing visitors to change their opt-in status
- Having a process for what data is collected
- Securing and encrypting data collected
- Informing visitors how long you’ll hold their data before deleting it
- Informing visitors how their data will be properly deleted
Your GDPR Compliance Checklist
A checklist can help you determine what you’ve already accomplished and what still needs to be achieved in order to meet GDPR compliance. Use this GDPR outline to help you determine your next steps:
- Conduct an information audit — including what information you collect and who can access it
- Determine your legal justification for obtaining data
- Make data protection a key part of your development and data processes
- Encrypt, pseudonymize, or anonymize personal data when possible
- Create an internal security policy
- Determine when to conduct and carry out data protection impact assessments
- Create a process for what to do if there is a data breach
- Designate a Data Protection Officer (DPO) or someone responsible for ensuring GDPR compliance
- Complete a data processing agreement between you and any third parties that may process personal data on your behalf
- Appoint a representative to the countries where you may process data
- Create a process so that it’s easy for customers to request and receive information you have about them
- Make sure this process makes it easy to correct and update inaccurate or incomplete information
- Allow customers to request their information to be deleted
- Make it easy for customers to request that you stop processing their data
- Allow customers to request a copy of their personal data in a format that can be transferred to another company
- Make sure you allow a way for customers to object to the data that you process
- Implement a procedure to protect people’s rights if you make decisions based on automatic processes
- Brand reputation
What to Do If There’s a Data Breach
Mistakes occur, laptops are stolen, and — despite being diligent with the information you collect — sometimes data breaches happen. If that should happen to your business, it’s critical that you inform regulatory parties within 72 hours. In addition, you should:
- Inform those individuals who are affected
- Identify the full extent of the breach and how it occured
- Work toward preventing breaches in the future
*This blog post was written to provide general information about privacy policies and GDPR compliance. For more information, visit the links provided.