If you've been online in the past few months and especially in the past few days, you've no doubt stumbled across the acronym GDPR. Perhaps there were news titles about it, maybe some ads, definitely some emails letting you know a company or another is working on becoming GDPR-compliant.
But what is GDPR exactly, and why should you care about it, especially if you're not in Europe?
What is GDPR?
GDPR stands for the General Data Protection Regulation and is a European Union law on data protection and privacy for all people in the EU, replacing the 1995 Data Protection Directive. It was adopted in April 2016 and becomes enforceable on May 25 2018 — next Friday, that is.
The GDPR primarily aims to give more control to people over their personal data and it also addresses the export of personal data outside of the EU, aiming to also simplify the regulatory environment for international businesses.
The truth is, 1995 seems more like a century ago in terms of Internet usage and online activity, so a new law focusing on people's rights online was bound to happen. GDPR's purpose is truly a noble one.
In order to be compliant companies — no matter their size or field of activity (so L&D and in fact any company that trains people make no exception) — will have to:
- Be responsible and transparent when gathering, storing and looking after the personal data of their online users.
- Give explicit notice when collecting new data; all users must be informed about how a company handles their data and give consent that they agree to have said data processed.
- Hand over to someone their user data in a physical format, for free, upon their request.
- Modify or delete data of a user if requested.
- Inform relevant authorities within 72 hours in case of a data breach.
- Pay fines of up to 4% of annual global turnover or €20 million (whichever is the greatest sum) in case they are not compliant.
All this can turn into a costly hassle for companies in the short-term, but according to the Dutch Prince, it will all be worth it in the long run; because companies that will be GDPR-compliant will be more trustworthy in the eyes of all people who use the internet especially to do business.
Why should companies outside the EU care about GDPR?
Well, because the world — and especially the business world — is more global every day. Just think about all the companies that have teams scattered across the globe and implement training programs for all employees. GDPR has direct implications for numerous businesses worldwide, as the EU is a great trading partner with countries on all other continents.
If your business offers goods or services to anyone living in the European Union, GDPR will apply to you.
If your business has a website that assists your selling process and that website can be accessed by an EU citizen, GDPR will apply to you.
If you have mailing lists for company newsletters and other marketing promotions and at least one of your prospects lives in the EU, GDPR will apply to you.
GDPR may be a European regulation, but it definitely reinforces the idea of the long arm of the law, defying geographical and political borders.
If you're an American company and have to be GDPR-compliant by the end of next week, you should check out this post answering a few US-specific questions about it. And seek further counseling and advice from an authorized law source.
Even though it's a challenge to become GDPR-compliant, here are a few steps to follow:
- Identify exactly what kind of personal data you already own. Personal data is any data that could be used to identify (directly or indirectly) a person: name, email, IP address, social media posts, bank details, social security numbers, medical information and even any data in a CV.
- Properly secure that data. Find out who has access to what and make sure that data is only handled by the necessary people. Review and reinforce other data safety policies (like password protection, double encryption or SSL certificates).
- Back-up frequently. This should go without saying, even if you don't have to be GDPR-compliant. But since users will have the right to request all the personal data you have on them, you have to make sure everything is up-to-date all the time.
- Appoint a Data Protection Officer if necessary. This person will take the responsibility of dealing with all personal data in your organization and it is a required function to have if your business carries out large-scale data practices.
- Play by the rules with all the new data you'll get. If you're a European company or you're just doing business with one and handle personal data of EU citizens, it's just better to be compliant than to pay the hefty fines.
Again, the above steps should not be interpreted as legal advice. If you have to become GDPR-compliant please consult with your relevant authority figures and take the steps to your unique situation.
The countdown is on!