The Steep Price of Data Collection is Skyrocketing, Unless You Get it Right

The Steep Price of Data Collection is Skyrocketing, Unless You Get it Right

Do you have a privacy and data security policy?  These days, you should.  And if you’re doing business in Europe or with Europe, as of last Friday, you now need to know about the GDPR.

With data breaches becoming commonplace and hackers becoming more and more sophisticated, all companies need to take IT security much more seriously, beginning with a privacy policy and a data security policy.  Europe has now taken things even further.  The EU’s General Data Protection Regulation (GDPR) became effective last Friday, May 25, 2018.  Do you need to comply? Our self-assessment can help you figure that out.  If you need to comply and you fail to do so, you may be subject to a fine of up to the greater of €20 million or 4% of last year’s revenue.There are two threshold questions:

1. Does your company receive or collect personal data from organizations or natural persons residing or operating in the European Economic Area (EAA)? Personal data may include names, dates of birth, email addresses, identification numbers (e.g., employee ID nos.), website cookies, IP addresses, geolocation data, purchase histories, services used or subscribed to, communications (e.g., website chats or social media posts, even if publicly visible), social media pictures, video or audio recordings, promotions used, survey responses, download records.

or

2. Does your company store any personal data with any processors within the European Economic Area (EEA)? Data processors may include managed data centers, cloud storage servers (e.g., Amazon Web Services, Dropbox), payroll agencies, solicitors, accountants, third party email marketing companies

If you answered “yes” to either of the above questions, you may need to comply with the GDPR.  Read on.

3. Does your organization store any of the personal data described above in Question 1 in electronic or other readily accessible format for any natural persons, including current and former employees, current and prospective customers, and visitors to your organization’s website?
4. Does your organization store any of the following types of particularly sensitive personal data in electronic or other readily accessible format?

racial/ethnic origin, political opinions, religious beliefs, union memberships, genetic information, biometric data, health/medical data, sexual orientation, sexual inclinations or proclivities, criminal charges, criminal offenses, criminal convictions

5. Does your organization store any personal data that identifies or that can be used to identify (directly or indirectly) individuals under the age of 16?
6. Does your organization use or do business with any vendors, contractors, or third parties such as those described in question 2 above?
7. Does your organization have a website privacy policy that documents your fair, transparent, and lawful use of personal data?

In other words, is your organization’s website privacy policy (1) readily accessible and (2) does it explain in clear, easy to understand language (3) what personal data your organization collects, (4) how your organization uses personal data, (5) what lawful bases your organization has for processing personal data, (6) what legitimate interests your organization has for processing personal data, (7) how long your organization stores personal data, does it (8) advise data subjects of their rights to access, correct, erase, and object to data processing, and does it (9) list all data processors with whom you share personal data?

8. Does your organization have reliable, accurate records that it can use to demonstrate when and how all individuals whose personal data your organization stores gave their specific, affirmative, identifiable, and informed consents to the storage of their personal data?
9. Does your organization have a designated responsible contact person and a process in place for documenting and responding to a Data Subject Access Request within 30 days’ receipt of the request?

If you’re subject to GDPR, your answers to questions 3 – 9 may help determine your compliance or your liability for non-compliance with this new law.  And if you’re not subject to it, these questions outline a new standard for keeping your customers’ and employees’ data safe, even in the U.S.

In most cases, we recommend that all our business clients strongly consider creating privacy, data protection and security policies, and include language in many of their customer and vendor contracts.  These measures should help protect the business from liability for data breaches and now, for non-compliance with the GDPR.