The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy for everyone in the EU. It was adopted on April 14, 2016, and becomes enforceable this May 25th. This is the biggest shake-up in data protection in decades.
The goal of GDPR is to protect the sensitive data of individuals. If GDPR works as it should, personal data control goes back to EU citizens and the regulatory environment for global businesses is simplified.
Does GDPR Affect US Companies?
This regulation will affect any company that handles personal data of EU citizens. Any company that sells to EU residents will need to comply. This also encompasses the export of personal data outside of the EU. For instance, if you do marketing e-mail campaigns that include customers in the EU, you must ask their approval for sending to those e-mail addresses.
Data Protection is the Key
Client data security should be a top concern. Use a remote database server, use best encryption methods, SSL, firewalls, auditing, logging, external audits, and so on. Make sure admin ports are locked down. If you are already performing best practices with security and data handling, you should be fine.
Speaking of fine, the fine for a data breach is a hefty one: up to 5% of your WORLDWIDE revenues PER INSTANCE, so this is not something to take lightly. GDPR may end up separating the providers with real policies from those who don’t and will get hit hard in the wallet.
What Data Must be Protected?
Here’s how the GDPR defines personal data, from Article 4 of the GDPR EU:
‘Personal data’ means any information relating to an identified or identifiable natural person (known as a ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
By the new regulation, here’s what must be protected:
- Biographical information – name, date of birth, Social Security number, phone number, and email address
- Web data – location, IP address, cookie and RFID tags
- Workplace data – education, salary, tax information
- Private personal data – health, genetics, medical history, racial data, religion, political opinions
How to Prepare for GDPR
The Information Commisioner’s Office (ICO) is UK’s independent body that upholds data privacy rights, and they have released information to help SMBs get ready for GDPR. Here is a data protection self assessment checklist, and 12 steps to take now. An overview of the 12 steps is provided below, click the image to enlarge.
Will HostDime be GDPR Compliant?
HostDime uses technical security measures like firewalls, nonpublic facing systems, and mitigation and detection software to prevent the unauthorized disclosure of information under our control. We are always committed to protecting our direct client’s personal data and will be GDPR compliant by the May 25th deadline. Clients who service European customers must handle their own compliance.
A final disclaimer is that I am by no means a GDPR expert. This article is just a primer; do your own research and/or hire an attorney for any specific questions you may have regarding your enterprise’s compliance.
Jared Smith is HostDime’s Content & SEO Strategist.