The impending enforcement of the European Union’s General Data Protection Regulation (GDPR) will lead to challenges for nearly any business that operates on the internet. The sweeping privacy reforms demand a new standard in handling personal information.
There’s a good chance it leads to improved protection of personal information for everybody – simply because the technical requirements to only implement the regulations for EU citizens may outweigh just developing the capability for all of a company’s customers or users.
If you’re unfamiliar with the GDPR, I suggest spending a few minutes watching this excellent primer from Habitu8. In short:
The GDPR takes a firm stance on privacy by default – you must obtain consent for any collection, storage, or use of a user’s personal data – instead of assuming you can use it in any manner you like without asking.
Perhaps you’re a small business that doesn’t operate in the EU. Why bother with the GDPR at all? Well:
Do you operate on the internet? Allow users to sign up for an account? Unless you’re explicitly restricting access from certain geographic locations, if an EU user creates an account with you, you’re required to abide by these regulations as it pertains to their personal information – including name, address, username, email address, and yes, even the IP address you log for their session with your servers, or the cookie you issue to their web browser.
If you don’t do business in the EU now, but you plan on expanding across the Atlantic in the future, this will end up impacting you, and you may be asked to build the processes required before you start work in that locale. It might be better to start considering implementation sooner rather than later.
Finally, you might start seeing pressure from third parties to conform to these kinds of regulations even if the third party isn’t in the EU. Companies and consumers are all looking for ways to better protect their personal information and you might be asked to start providing similar protection or risk losing some business.
The European Data Protection Supervisor’s website has some great practical resources for starting down the path of implementation. Their legal notice on handling of personal data could be useful to duplicate for your own website, for example. They also publish the details of their own DPO’s roles and responsibilities which may act as a guide for the creation of the role inside your organization.
If your hands are a little more damp now than when you started reading this post, that’s understandable! Let us know if we can be of assistance in navigating your GDPR challenges.