Sites that work with clients from EU countries can recently receive fines of up to 20 million euros if they do not begin to comply with the new regulations on personal data of the GDPR. There are no victims yet, but this is not a reason to break the law. Better safe :-)
The General Data Protection Regulation (GDPR) is an extraterritorial regulation that protects the data security of all EU citizens. If you collect, store or process personal data (including cookies) of at least one client from Europe, you must comply with the regulations regardless of where the site and company are registered.
If you have a site that works exclusively in Russia, you can not worry about compliance with the requirements of the GDPR. Nevertheless, we must not forget that 152-FZ “On personal data” is in effect in Russia (the updated version came into force on July 1, 2017), which somewhat repeats the requirements of GDPR and also limits the work with personal information of customers.
What is personal data
A specific list of information that is considered personal data is not provided anywhere. Personal data is any information about a person, which can be used to identify his person directly or indirectly.
Basic principles of the regulation and the rights of personal data subjects
In short, all the rules can be formulated as openness and respect for the personal information of your customers. Here are five basic principles:
- The principle of limiting the goal: clearly indicate why you are collecting this data.
- The principle of storage restrictions: specify the retention period - it is not possible to store personal data longer than you need to achieve the indicated goals.
- The principle of data minimization: allowed to collect only the minimum necessary for your purposes.
- Principle of integrity, confidentiality and accuracy collected data. Data must be correct and confidential.
Thus, every resident of the EU countries has a number of rights that you must respect:
- know what personal data is collected (which, for what purposes and for how long they will be stored);
- request them from the company;
- demand to delete all data (the so-called right to oblivion).
What should the site owner do?
- Check that the CRM system you use provides the basic rights of your customers, that is, it allows you to:
- provide information about the collected personal data,
- modify and supplement it;
- delete data on request.
Interestingly, there is such a thing as "the right to data portability" (right to data portability). This means that at the request of the subject of personal data, you must transfer all of his data to a third organization - this simplifies the transfer of a client from one company to another. Be ready for this.
- Warn about collecting information. It is enough to place a plate with text in the bottom of the page in the spirit of "we collect cookies to personalize the content on the site. Continuing to use the site, you agree to this."
- Request confirmation to send mailings. In email marketing this is called double opt-in. By sending a letter with the text "click on the button to confirm the consent to the newsletter," you explicitly receive the user's consent and prove that you received this email honestly (and did not buy, for example, spam database).
Here is the standard Mailchimp double opt-in letter:
- Ask users for consent to the collection of personal data. GDPR requires that users give their consent to the processing of personal data in an explicit form (as in the example above). To do this, place a tick next to the data collection form, clicking on which the user agrees to the processing of his personal data. Please note that this checkbox cannot be pressed by default - the user must do this on his own.
- Report data loss. The personal data of your customers should be very carefully monitored and stored in a safe place. If the data gets to third parties that it was not intended for (you are hacked, leakage due to carelessness or carelessness, or you lose it in any other way), you must inform users of this within five days. Of course, this will not be such a major event as Facebook’s sensational Facebook leaked in March, but still there is little enjoyable.
What will happen for non-compliance
As with any violations, the severity, the number of victims and the causes will be considered. The maximum fine for violation of the regulation can be as much as twenty million euros, or 4% of the company's annual turnover. However, do not immediately fall into a panic - this is the maximum level that will not be applied for the first violation. For the first time, you are likely to be warned and asked to bring everything into line with the regulations. You can also get a ban or restriction on the processing of personal data, and only as a last resort a fine (not necessarily a multimillion-dollar).
In addition, failure to comply with the laws may hit your reputation and trust in the company. No one wants to subscribe to your newsletter, and then receive incomprehensible content from third-party organizations.
To protect the rights of users in each EU country, special Data Protection Authorities (DPA) authorities have been created, and non-EU countries must nominate a representative in Europe who will interact with DPA. Details of work with countries that have not nominated a representative are not disclosed. It is also not fully known how companies outside the EU will be held liable for violations. But it is important to understand that, despite this ambiguity, the rules should not be ignored.
There are no precedents for this law. However, it is better to fulfill all the prescriptions and be confident in yourself.