
Have You Seen This GDPR email?
Important updates about the General Data Protection Regulation (GDPR)
The above is the subject of an email sent out by Google laying out the actions they are taking to comply with the General Data Protection Regulation (GDPR). Google is making changes to its services – free and paid – to give advertisers and users of Google Analytics the ability to control data retention and who they target advertisements at and how.
Google is not the only company sending out GDPR related emails. Major corporation are preparing their systems to comply with the EU’s regulation. Email inboxes are flooded with requests to re-opt into email lists. Websites have their user policies more prominent, linked off the home page, rather than buried through obscure websites navigation. The wording of the privacy policy cannot be miles long legalese either. It must be reasonably understandable and clear. Users must have an easy method to drop out of your online tracking too.
GDPR affects all businesses dealing with European Union (EU) citizens, not just Google. The regulation affects any organization that contains information on EU citizens, regardless of where it is based.
What is GDPR?
GDPR is short for the General Data Protection Regulation. It is a law approved by the EU Parliament on 14 April 2016. Organizations have had plenty of time to prepare for the regulation. It goes into effect on May 25, 2018. Fines for breaking GDPR regs are huge at 4% of annual global turnover for or €20 Million.
When an organization collects personal data they currently inform users, usually through a privacy policy, how that data will be used. Under GDPR organizations need to explain, in concise, easy to understand, and clear language, their lawful basis for processing user data as well as the data retention periods. Individuals have the right to access, modify, and require that their data be erased all together. In addition, under GDPR, people have the right to:
GDPR includes the following rights for individuals:
- the right to be informed
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making including
- profiling
The right to have data erasure is especially interesting. It is also known as “the right to be forgotten.” Organizations have one month from the time of a verbal or written request to respond to the right to be forgotten.
Organizations may also need to put steps in place to verify the age of children and obtain parental consent to stay GDPR compliant. This is especially true of social media channels.