On May 25, 2018 new data protection rules, known as the General Data Protection Regulation (GDPR) were rolled out across Europe. Part of a continuing data protection evolution that began in 1990, GDPR is designed to update laws that protect the rights of individuals using the internet. Chiefly the new regulations allow individuals more control over how one’s personal information may be disseminated.
Before we launch into a GDPR overview, let’s agree that we know that we are in the U.S. of A. That said, these new European laws are already impacting how American-based major online players, such as Google, Facebook, and Amazon protect their users’ information. What does this mean to the American online business owner? Simply put, if your site can be accessed by anyone in Europe (and whose site isn’t accessible to all?) there will be informational safeguards that need to be implemented sooner than later on your site.
Four years in the making, and with the approval of both the European Council and the European Parliament, GDPR roared into life in late April 2016. For European-based online businesses, full-compliance was mandatory by the last week in May, 2018. The new regulations feature stronger individual rights that allow persons easier access to the data that companies have on file about them. Also, and this is key, the responsibility for all organizations and businesses that collect and retain/store data from individuals to safeguard that data and ensure its security.
Stronger Data Security Measures Now Required
Accountability has also been greatly increased in the GDPR. What this can mean to an online business is the need for stronger data protection policies, routine data impact assessments, and full public disclosure as to how collected data is processed and stored. In the wake of massive data breaches in recent years, notably Experian, whose site was hacked and millions of users’ financial information leaked, tighter reporting and security breach regulations are now mandatory. Under the new GDPR the “destruction, loss, alteration, unauthorized disclosure of, or access to” collected data must be reported to the Information Commissioner’s Office (ICO) within 72 hours as well as to those whose information may have been compromised.
For American-based web businesses, these new regulations will likely call for stronger cyber security measures on their sites. These may take the form of disclaimers and disclosure statements to assure site users based in Europe, that a site’s data collection practices are fully GDPR-compliant. While it is not yet known how impactful these new regulations will be on U.S. eCommerce, the penalties for non-compliance are steep: fines up to over $30 million or four per cent of a firm’s global turnover, whichever is greater. According to Cnet.com, on day one of this rollout, Google and Facebook were each sued for fines totalling $9.4 billion for alleged GDPR violations.
Where does this leave most American eCommerce websites? There are changes and site updates that can be implemented quickly to protect users’ information, safeguard their rights and personal information, as well as to help sites avoid being hit with penalties. Is your website in violation of these new regulations? If you have questions, please contact the Digital Marketing professionals at Active Web Group for important information on how you and your web business can become fully GDPR-compliant. For a confidential assessment, contact our team at (800) 978-3417 today!