What the Heck is GDPR and Why Should I Care?
If you’re a blogger, chances are pretty good that you’ve heard about the “GDPR” at some point in the last few weeks/months. The chances are also pretty good that you don’t really know what it means, don’t know how or if it applies to you, or what to do about it. It can be very confusing and many bloggers are feeling a bit overwhelmed. However, not knowing about the GDPR is no longer a viable option moving forward because it’s about to take effect and what you don’t know can definitely hurt you.
Have no fear (o.k., maybe a little fear but we’ll work on it) and hang on for the ride. This is the first in a series of posts on the GDPR that will help you get up to speed.
What is the GDPR?
The General Data Protection Regulation (“GDPR”) is a legal framework designed to enhance personal data protection and privacy for all citizens of the European Union (“EU”) and Switzerland. It also addresses the export of personal data outside the EU to other countries like the United States of America. One important goal of the GDPR is to give EU citizens more control over their personal data and to simplify the regulatory environment for international business by unifying privacy protections within the EU. Two years in the making, certain data protection provisions of the GDPR become enforceable on May 25, 2018.
Does the GDPR Apply to Me?
If you collect or store or process personal information or data (think name, email address, phone number, IP address, etc.) from people who live in the EU or Switzerland, the GDPR applies to your collection and use of that personal data. This includes personal data stored in cookies, used for email or newsletter lists, marketing communications, payment information, etc. Basically, as defined under EU law, personal data means “any information relating to an identified or identifiable natural person” that can be used to directly or indirectly identify someone.
Why Does it Matter?
Failure to comply with the provisions of the GDPR can lead to hefty fines. Even though you don’t live in the EU, you can still be fined. The US government and the EU have already negotiated various cooperative agreements for enforcement of the GDPR and more are in the works. Additionally, international courts are increasingly and more aggressively looking to force US companies to comply with the more stringent data privacy rules found in the EU.
What Does the GDPR Require?
The GDPR requires you to treat personal data with respect and to be responsive to inquiries and instructions from the individual identified by the personal data. Some of the specific requirements are listed below (this is not a complete list, but it’s a good start).
In practical terms, under the GDRP, you must:
- Get permission to collect all personal data before you collect it.
- Only collect the personal data that is necessary.
- Be completely transparent in how you will use the personal data that you collect.
- Store and process the personal data in a secure manner.
- Allow a person to review the personal data you have about them.
- Delete personal data upon request of the person identified by the personal data.
- Promptly report any data breach involving the personal data.
- Be subject to third party review of your use (or abuse) of personal data.
So, here are a few tips to get started with GDPR compliance.
- Panic. Seriously, keep calm and say to yourself, “I can do this.” Because you can.
- Stick your head in the sand and hope it goes away. GDPR is not going away so the sooner you understand it and get your proverbial ducks in a row, the better.
- Pretend it doesn’t matter. It does. You’re not likely to get hit with a fine on May 28 but you should do everything you can do now. Waiting won’t make it better.
- Keep on doing things the way you always have. The world is changing all around us. Data privacy is kind of a big deal, especially in the EU. If you want to build success in the blogging world, you need to understand and follow the rules.
- Start to assess the data you collect. You need to understand exactly what kind of data you are gathering from your followers/customers/clients. Where did it come from? How did you get it? How is it stored? Where is it stored?
- Identify and review service provider contracts. Every service provider that you share personal data with needs to be identified and the contracts that you have with them will need to be reviewed and updated for compliance with the GDPR, if necessary. This includes contracts with web hosting providers, affiliate partners, payment processing companies, etc.
- Get help if you need it. The GDPR is a new thing and it probably seems a bit overwhelming. There are people out there who can help. If you don’t know what to do, find someone who does.
Remember – Be Smart. Be Legal.
Disclaimer – Yes, I’m a lawyer, but I’m not your lawyer. All information in this post is provided for educational purposes only and should not be considered legal advice for any specific person or any specific situation.
** Photo Credit – By Stéfan Le Dû from Nantes, France – This way. Or maybe this way. Wait. No. This way.Uploaded by Chime, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=9528894