General Data Protection Regulation: What You Need to Know to Be in Compliance

In May, the European Union passed the General Data Protection Regulation, a piece of legislation that places greater sanctions on what corporations can do when collecting web users’ personal data. The law requires companies to be more transparent about personal data collection.

The GDPR refers to ‘personal data’ as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.” This includes name, location, and other sensitive identification info. With the GDPR, consumers who are citizens of countries in the European Union can inquire about what data companies have collected on them, and ask those companies to delete the data, among other rights (for a full overview of the changes, see here).
These changes affect American businesspeople, even small business owners, because any company who does business with European citizens, or uses the data of European citizens in any way, must comply. And the ramifications are significant: noncompliance with privacy laws of the GDPR can result in a fine of up to $20 million, or 4% of the company’s global turnover for the previous year. Furthermore, U.S. states, such as California, have begun to adopt similar policies to safeguard the privacy of their citizens. It is estimated that more U.S. states will adopt similar policies, and that the EU’s GDPR will have a wide-reaching influence on the standards that businesses are held to regarding privacy protection.

Therefore, it is important that small businesses are upfront about their data use, as a means of good business that will benefit both the customer and the owner. Here are some steps to take to ensure clear communication and secure transfer of data.

State what data you are using from the customer and require customer consent

The new GDPR requires corporations to state in plain terms what type of data they are using from the visitor and how it will be use. Consent must also be easy to withdraw, in addition to give. For most websites who have begun to implement this, a pop up window at the top of the screen has been used to state the use of information, like cookies, and require consent before continuation onto the website.

Appoint a data protection officer if you handle large amounts of information, information pertaining to criminal convictions, or other special categories of data

According to Article 37, businesses must appoint a data protection officer if they handle certain types of information, like criminal records, religious affiliation, or large amounts of information. The data protection officer, per GDPR requirements, can be a staff member or external service provider. Consult with a legal advisor to see if your business’s data usage necessitates a data protection officer.

Notify when a breach of security occurs

When the security of data is compromised, businesses must notify customers and national authorities within 72 hours of first detecting the data breach. In the U.S., the data controllers office is the Federal Trade Commission, according to Jason Weinstein, a lawyer, data security expert and content writer at iapp.

Become SSL compliant

SSL stands for Single Socket Layer. This is a feature that protects the transmission of information as it is being sent from the user to your business. This way, cybercriminals cannot access the information.
The presence of SSL is indicated by a bar at the beginning of the URL, usually with a lock symbol (though it may differ depending on browser). It usually runs around $100-$200, an annual fee, with potentially more money required hire a web development expert to help you implement it. And SSL must be implemented with care in order to ensure that peoples’ search engine is being redirected to the new, secure URL. You can read more about SSL here.

Consult with a legal advisor

The above tips are a general outline of some of the ramifications of the GDPR’s latest changes. These tips are not meant to replace legal advice from an attorney, however. It is in your best interest as a business to consult a legal expert who can offer advice tailored the needs of your business.

The changes of the GDPR may seem overwhelming at first, and compliance will take some time and effort on the part of your business. However, complying with the GDPR does not just mean making changes just to fit predetermined criteria. The GDPR aims to make web usage a more pleasant, safe experience for consumers. By abiding by GDPR standards, you are taking another step in offering the best customer service to your web visitors. Knowing the rules of the GDPR and the reasoning behind its implementation will aid you not just in preventing potential legal disputes, but perhaps more importantly, in providing a safe and enjoyable web experience for all visitors.


“The U.S. Doesn’t Have a National Data Protection Authority? Think Again…”

“Article 37 GDPR – Designation of the Data Protection Officer”


“GDPR Key Changes”

IHC Blog Archive