The enforcement date for the GDPR is 25 May 2018. Not long is it?
If you've been living under a rock for the last two years, GDPR stands for General Data Protection Regulation, a regulation that was passed by the EU Parliament in April 2016. The GDPR is "designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy" (eugdpr.org).
We're on the home stretch for enforcement of the GDPR, so its time to make sure your business is ready. Here are the answers to the common questions my clients are asking right now.
Do I have to comply with the GDPR if my company handles data outside of the EU?
If your business activities include processing, controlling, or handling the consumer data of residents of the EU, then yes, you need to comply.
You have an online store and you are based in Japan. You sell something to a consumer from the UK. In doing so, you take the customers email address, delivery address, or other contact details. Therefore, you need to comply with the GDPR.
Brexit means I don't have to comply with GDPR, doesn't it?
That's incorrect. Even if the UK managed to have a super-speedy Brexit, the UK government has indicated it will implement something very similar after leaving the EU. Therefore, it makes sense to ensure compliance now as any changes post-Brexit will be minimal.
What should I do if I will be processing the consumer data of under 16s?
Explicit parental permission will be required to handle any data from children under the age of sixteen. The permission must not be implied.
You publish a children's mobile game app and need to collect user emails as part of the registration/sign in process. You must get explicit consent from the parent, i.e.,you must not ask the child to tick a box to say they have asked their parent for permission.
Do I need to declare a data protection officer as part of GDPR compliance?
The assignment of a Data Protection Officer (DPO) is only mandatory in these cases:
- where the data processing is carried out by a public authority or body;
- where the core activities consist of processing operations which require regular monitoring of data subjects;
- Large-scale processing of personal data from 'special categories' (which includes sensitive data such as political opinions or religious beliefs) and personal data relating to criminal convictions and personal data relating to criminal convictions and offences.
Trade unions, healthcare providers storing patient records, prisons.
Do I need a double opt-in for new subscribers to my email list?
Consumer consent can’t be inferred or given passively by using a pre-ticked box. Consumers should opt-in, not be forced to opt-out. While the GDPR does not explicitly state that double opt-in is a must, I would always recommend it as best practice permission marketing. If you need any more persuasion, email giant MailChimp added double opt-in as the standard for its EU clients directly because of the impending GDPR.
Have more questions? Leave your question in the comments box below and I'll try to answer as many as I can.
Need help to comply with the GDPR? Drop me a line for a no-obligation chat.