General Data Protection Regulations (GDPR)
Luckily, there’s still enough time to get prepared.
Preparation means your audit needs to include summaries of what information you collect, including personally identifying information (“PII”) such as names, email addresses, usernames and IP addresses, as well as information that is matched with PII, such as data about what site a user is coming from, how much time they spend on your site, and information they provide via forms or orders. It’s also vital to document why your use of the information is lawful, how long it is retained and what the data is used for — and that information needs to be public, in an FAQ or other informational page, which is accessible on your website, and via social media pages on Facebook if you collect information on users who communicate with you there.
Recent issues involving Facebook and privacy are significant, but going forward, a company that collects information via Facebook about Europe-based users has a notification and opt-in obligation, and non-EU users may become accustomed to seeing GDPR-compliant privacy and breach policies, and look for them before doing business with or using a specific website.
The penalties for non-compliance are stiff, with penalties for data breaches, especially those that aren’t timely reported, clocking in at 4% of a company’s annual revenue or 20 million euros, whichever is lower; compliance with the requirements of the GDPR is considerably less — and it’s a good way to be sure your customers know that they can trust you with their information. As the EU’s Commission says, “The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business.”