GDPR: Ask yourself 5 questions
GDPR – the General Data Protection Regulation — protects EU residents from businesses and data brokers that exploit personal information in a way many consider unethical. The rules are in place to curtail the abuse by large processors of personal data, yet they may place some of the same restrictions on responsibly run SMBs which need to contact residents of the EU for legitimate reasons. By answering 5 questions, you’ll be able to evaluate how GDPR may affect you, and take appropriate action to keep running your business while complying with the new rules.
Click on a question below if your answer is Yes or you’re not sure
- Is there a possibility that you’re interacting with EU residents? →
- Could you be processing personal information without knowing it? →
- Might people feel their information is used in a way they didn’t want? →
- Do you store or process personal information on many platforms? →
- Do you handle personal data that could be considered sensitive? →
Did you answer No to all 5 questions? You probably don’t need to worry about the effects of GDPR on your business. If you still have doubts regarding risks to personal data, Contact us for exclusive insight based on our extensive experience working with European companies and authorities on personal data protection.
Can an EU resident obtain goods or services from your organization? Does your organization employ anyone, even an outside contractor, resident in an EU country? Do you do business with an EU-based company?
When you collect information on prospects or customers, whether for transactional or communications purposes, whether you sell B2B or to consumers, you need to comply with the GDPR.
Personal information regarding employees and business associates who are EU residents is also subject to the new GDPR directive. You will need to take special care to protect this information, and only use it for the purposes it was intended for, e.g. to directly contact, commercially transact, or make fiscal declarations.
The GDPR regulates the processing of personally identifiable information (PII). Processing, simply put, means collecting, storing or using information.
Have you collected or do you store, use or process in any way personal information from people who reside in the EU? Do you use online forms, or employ a customer relationship management (CRM) database to collect data?
Personal information can be, for example:
- a person’s first name, last name
- an address
- a telephone number
- an email address such as [email protected]
- an identification card number
- an Internet Protocol (IP) address
- website cookies
Collecting and storing information can be done via a signup or contact form, or by entering information from business cards into a spreadsheet or a distribution list on an email platform, for example. Website cookies are considered personally identifiable information in the same way as names, email addresses and phone numbers that you collect through online forms, because they can be used to track people. A CRM stores personal data, which triggers the need to comply with GDPR.
You need to give EU residents access to their information when you store it – allowing them to get a copy of the information you have collected and correct inaccurate information – and to respond to their requests to delete it or transfer it to another entity.
Special care must be taken to protect personal information from theft or misuse. Sensitive information requires you to take extra measures to protect EU residents from any possible misuse.
Do you use personal information in a way that was not initially intended when collected? Do you use the personal information you collect on people to make decisions that may impact them?
When people give you their contact details to get a response to a question or to obtain information about a product, they trust you with their information. If you use it to send them newsletters they didn’t ask for, or sell it to another company, you are misusing that information. Under the GDPR you must tell people what data you collect and what you intend to do with it. And you must ask them to expressly agree to that — you cannot assume they agree and ask them to say if they do not. You must get them to opt in, not opt out.
Another requirement introduced by the GDPR, is that you must be able to show that no discrimination is possible when personal information is automatically processed. You must also be able to cease automatic processing of an individual’s information upon their request, and make the decision manually.
Is it difficult for your organization to quickly find all areas of your business where you might store personal information? Can you easily identify the type of information you hold about an EU resident (e.g. whether they are an EU resident, whether they have consented and when, whether information is sensitive)?
The GDPR is about protecting personal information. If you cannot show that you are in control of the information you hold, your ability to protect it is in doubt.
You must document the acquisition, storage and use of personal information from EU residents in all areas of your organization. You must also have a data protection strategy in place and make sure it is always current. These records are required to show GDPR compliance.
Special care must be taken to protect sensitive information, and you must prove you need to process it. The GDPR is explicit about the cases in which you can do so, and you will need to show that you fit one of the categories and comply with any national restrictions.
Do you store or use sensitive personal information such as health records, financial records, political affiliation or other information people could consider private? Can it be accessed without trace?
Sensitive information requires special protection. The GDPR is explicit about the cases in which you can store sensitive information belonging to EU residents, and you will need to show that you fit one of the categories and comply with any national restrictions.
The GDPR requires that special care be taken to limit access to personal data, therefore all access should be logged. Any breach of personal information must be reported to the supervisory Data Protection Authority (DPA) without undue delay, and at the latest within 72 hours after having become aware of the breach. If the breach concerns information that presents a high risk to the rights or freedoms of the person(s), you will need to notify those affected directly.
If you answered yes to any of the questions, we recommend you look deeper into the GDPR and what you need to do to comply. Our GDPR privacy impact assessment can help you. Contact us