Is your data capture mechanism GDPR complaint? If it isn’t, you could face fines of up to 4 percent of your global turnover.
What is the GDPR? It’s the European Union’s sweeping new privacy law. The GDPR protects European citizens and residents from data misuse and abuse as well as careless data practices. It is the answer to the call for companies to be more transparent and accountable in their data practices.
Even if your business isn’t based in the EU, the law applies to you if you hold any data from European sources.
How does data protection regulation change the way we collect data? Keep reading to learn how it impacts your data capture processes.
What is the GDPR?
The General Data Protection Regulation (GDPR) is an all-encompassing piece of privacy regulation put in place by the European Union in 2018.
It covers every aspect of working with data – from capture to erasure.
The GDPR concerns itself with accountability, transparency, and fairness. At the heart of the law is data minimization. In other words, you shouldn’t be collecting, using, or storing data that you don’t have a use for. And you definitely shouldn’t do those things if you don’t have consent from the data subject.
Does It Apply to You?
The GDPR applies to you if you collect data from EU citizens or residents, whom the law protects.
Even if you are not based in the EU nor pay taxes in an EU member state, you must still comply with the GDPR as long as you presently collector continue to store data from EU data subjects.
If you don’t wish to go through the compliance process, then you’ll need to block access to your site in the EU to avoid inadvertently collecting EU data.
Whether or not you need to comply, consider doing so anyway. Many of the GDPR principles are good business practice, and today’s internet users expect and demand a greater degree of privacy whether or not it’s the law.
It’s All About Consent: Impact of GDPR on Data Capture
The most tangible impact of the GDPR for businesses tends to be in how their consent mechanisms change.
You can’t capture data without a legal basis. One of those legal bases is consent. However, consent isn’t implied – you have to prove it.
Article 7 of the GDPR covers the “conditions for consent.”
Essentially, you need to be able to:
- Prove the data subject consented
- Demonstrate the consent provided was written, easily accessible, and written in clear and plain language
- Offer the right for the subject to withdraw their consent whenever they want
- Make it easy to withdraw consent
- Ensure consent isn’t a condition for accessing your business
In other words, the customer needs to know they consent to data processing, and you can’t ban them from their site if they don’t consent to the processing.
Getting consent once isn’t enough. If you change the way you process the data, you need to seek consent for that. One consent doesn’t cover all conditions.
If any of your data processing activities change, you need to update your data subjects and likely ask for consent again.
Meeting the Conditions
What do those consent conditions look like in practice?
It means requesting a “clear, affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing.”
When you seek affirmative consent (such as ticking a box), you’ll need to share details like:
- How you process the data
- Why you process the data
- How to revoke consent
- Whether you share the data with third parties
- Whether the data leaves the EU
- How long you store data
Additionally, all the information you provide needs to be written in clear language that anyone can read. That means writing to the reading level of your average user, choosing a readable font, and organizing your privacy statement well.
Trying to mask your data practices in legalese or “fine print” can earn you a stern call from your local data protection office. Taken too far, you’ll be named, shamed, and fined.
Data Capture in the Age of the Right to Be Forgotten
The ability to freely and easily withdraw consent is an important part of data capture. The EU says that it should be as easy for data subjects to revoke their consent as it is to provide it.
As well as showing data subjects how to withdraw consent for processing, companies must now abide by the “right to be forgotten principle.”
The right to be forgotten is one of the data subjects’ rights. Outlined in Article 17, it says that data subjects may request the erasure of their data in specific circumstances.
They may request to be ‘forgotten’ when:
- You no longer need their personal data for the original collection purpose
- They withdraw the consent to the processing and you must comply
- You processed their data unlawfully
- You must erase it to comply with a law
In these cases, you have an obligation to delete their data “without undue delay.”
GDPR Compliance Isn’t Optional
What is the GDPR? It’s the most comprehensive and up-to-date data privacy law in the world.
If you want to work with European citizens and residents, then GDPR compliance isn’t optional. As of May 25, 2018, you must either comply or block access to your site.
Companies that continue to ignore the new rules or provide woefully inadequate solutions face serious fines.
The EU could come for two to four percent of your total global turnover.
Google recently paid a $57 million fine after the French data protection regulator ruled that Google didn’t work hard enough to get consent from users.
Part of upholding the GDPR means working with GDPR-compliant solutions providers. Get in touch today to learn how we can keep your data capture compliant.