April 1, 2018 | Gio M. Brackbill

 

If you’ve received a concerning email with a subject line like “URGENT: Theft of Consumer Data,” you are not alone. In the past year, Quora, Marriott, Facebook, and T-mobile are just some of the high profile companies that made national news for exposing consumer data. Privacy Rights Clearinghouse cites the number of breached consumer records at nearly 1 billion.

 

In light of the danger posed to consumers and their sensitive information, the European Union (EU) passed a regulation to help protect them. Along with the GDPR, aka General Data Protection Regulation from the EU, came an onslaught of new rules that went into effect as of May 2018. One of them is breach notification within 72 hours in the event of a cyber attack. It also tells businesses what they are allowed to do with names, emails, and other personal data collected online.

 

If I operate my business in the U.S., why should I care about an EU regulation?

 

Even though the regulation is aimed at protecting the private data of individuals within the EU from breaches of trust, it is in the interest of many U.S. businesses to ensure that their websites are compliant. Check off any of the following items that apply to your business:

 

• You accept payment in Euros or British Pound; or
• You registered an EU-based domain name for your website  (i.e. .co.uk for the UK; .es for Spain; .dk for Denmark; .fr for France); or
• You target Europeans for sales by using EU-based languages to market your goods and services; or
• A reasonable amount of your website traffic comes from European consumers.

 

If you thought twice about any of the items on the checklist, you should continue reading to learn the steps on how to make your website GDPR compliant.

 

What is the secret to GDPR compliance?

 

Obtain Consent from Website Visitors

The most important requirement is ensuring that you get consent from visitors. Any opt-ins may not be automatically checked “yes” because consent is not valid unless it is “freely given, specific, informed, and unambiguous.” This means that if an EU-based website visitor does not opt-in or agree to consent, you cannot process their personal data. Unfortunately, this may prevent that individual from participation in whatever product or service your website offers.

 

Develop a Privacy Policy

The key components of a GDPR-compliant Privacy Policy are that it informs website visitors of 1) what information you’re collecting from them, including passwords, billing information, or cookies and metadata; and 2) how your business uses their information. Privacy policies must be “concise, transparent, accessible, and written in clear and plain language.” Data collecting and processing practices must be easily accessible and free of charge to the consumer. It is important to continuously keep your website compliant with future legal changes.

Add Terms and Conditions

The Terms and Conditions is the place on your website where you define your business by setting up the rules for your visitors. You should provide information on what is and is not permitted. You may also include other FAQs such as a return and exchange policy or tell visitors what an appropriate use of your website images would look like.

 

Follow the Notification Requirements

The GDPR is serious about transparency and the consumer’s right to be informed about use of personal data.  If a system breach occurs, you should have a plan for how to inform all of the individuals in your system. In most cases, a notification email is sufficient. The email should state 1) what happened; 2) what information was involved; 3) what your business is doing to protect the data; 3) what the consumer can do; and 4) the business contact information for any further questions.

 

 

 

Stay Informed with GDPR Compliance Developments

Starting a GDPR Compliance Initiative is a smart tool for protecting your business against enforcement actions for EU consumer rights violations. It is always good practice to review your website policies and keep up-to-date with the latest international data security and privacy technology.

 

How much are the fines and penalties of a GDPR enforcement action?

 

U.S. businesses can be fined pursuant to GDPR Article 28 that forces those doing business with EU data subject to comply. Notably, the potential fines are as high as 20 million euros or 4 percent of annual revenue (whichever is highest). Over 100 U.S. proceedings are currently pending and Austria’s Data Protection Authority alone initiated dozens of investigations on U.S. businesses. In January 2019, the French took action against Google and fined them 50 million euros on the grounds of “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.”

 

The effects of the GDPR on U.S. businesses makes it paramount that you take it upon yourself to comply with obtaining consent, protecting, and notifying EU consumers about their data and privacy. It is in the interest of U.S. businesses to ensure that non-compliance of their website is not a liability that could result in costly fines from an EU nation.

 

Sources:

• https://www.forbes.com/sites/daveywinder/2018/12/04/quora-hacked-what-happened-what-data-was-stolen-and-what-do-100-million-users-need-to-do-next/#d9579694f447
• https://www.fraud.org/latest_breaches
• https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
• https://www.termsfeed.com/blog/gdpr-notice/
• https://www.privacyrights.org/chronology-data-breaches-faq 

Photo:

• https://dma.org.uk/article/three-good-examples-of-gdpr-breach-notification-emails
• https://www.wired.com/