EU data protection regulation: tips to ensure GDPR compliance
The EU General Data Protection Regulation (EU GDPR) will give individuals more control over their personal data and simplify privacy regulations across the EU. To avoid penalties, all businesses, even those outside the EU, will need to update their data protection practices. Tips for becoming GDPR compliant and how we can help!
EU GDPR at a glance
Data protection standards and rules are nothing new for the EU. The GDPR simply updates –and supersedes - 1995’s Data Protection Directive which was, in the end, just a directive. The GDPR, on the other hand, is a regulation that is both more comprehensive and enforceable.
The new regulations go into effect on May 25th. Businesses that fail to comply with the GDPR could face fines of up to 4% of their annual revenue or €20m.
And, yes, this includes businesses outside of the EU. No matter where you are in the world, compliance is expected of your business if you store data on European residents – or even non-EU based individuals who travel to the EU for a limited time.
What data protection regulations?
The GDPR ensure that individuals “own” their own data, determining for themselves how it is used. Under the GDPR personal data is defined as any information relating to an “identified or identifiable natural person.” This includes:
- ID number(s)
- Location information
- Any other factor related to an individual’s physical, physiological, genetic, mental, economic, cultural, or social identity – including IP addresses, cookie strings, social media posts, online contacts, and mobile device IDs.
If you are a business who gathers and/or stores any of the above data, the GDPR requires you take action to ensure eight basic rights granted all “data subjects”:
- The right to be informed: individuals better understand how and why you are collecting data.
- The right of access: individuals can access their own data, confirm it is being processed, and verify that its use is lawful.
- The right to rectification: individuals can request to have inaccurate, out of date, or incomplete data corrected.
- The right to erasure: individuals can request to have their data “erased” or removed when there is no reason to continue processing it.
- The right to restrict processing: individuals can block or suppress processing of data.
- The right to data portability: individuals can obtain and reuse data for their own purposes across different services.
- The right to object: individuals can object to the processing of their data.
- The right not to be subject to automated decision-making including profiling or any circumstance that could prove potentially damaging without human intervention.
Auditing your compliance
Of course, you should seek out legal counsel to determine how the new laws apply to your specific business. But, more generally, you’ll also want to:
Assess your data collection practices
- What data are you gathering?
- Where are you storing it?
- With whom are you sharing it?
- Are your reasons for gathering it lawful?
Evaluate your compliance with GDPR policies and procedures
- Does it accurately cover all user rights?
- Do you have a data retention policy?
- Do you have a procedure in place for providing requested access to information?
- How well-defined are your procedures for preventing and responding to data breaches?
Ensure communications include proper consent language
- Do you clearly communicate how you will use collected data?
- Do you provide a clear opt-in section?
- Do you provide users enough information to consent?
Also, in many cases, organisations will have to appoint a Data Protection Officer (DPO). Article 37(1) of the GDPR clarifies the conditions by which a DPO must be appointed.
How EuroDNS can help with GDPR compliance
EuroDNS offers products and service that can help you to ensure the protection of data you gather from individuals residing within the EU.
A Secure Sockets Layer (SSL) certificate securely encrypt all details entered into any forms or field on your website. A free SSL is offered when you register a domain at EuroDNS, but we offer a variety of SSL certificates, some of which provide more protection and insurances than others. See here for more on EuroDNS’s selection of SSL certificates.
We offer our customers the option of employing two-step verification (TSV) with their account. Stronger than an easily hackable password, TSV blocks unauthorised access to your account, drastically limiting the chances that your payment methods, contact lists, and any other data you collect are stolen. See here to learn more about two-step verification.
As for the future of WHOIS...
A final note: as of the time of this writing, the future of WHOIS – the database of contact details related to your domain name, accessible to all – is uncertain. But until a definitive solution is agreed upon, EuroDNS does offer a domain privacy service which masks your personal data, protecting you from spammers, hackers, and hijackers.
Watch this space for more on the future of WHOIS and additional information related to the EU data protection regulation. We’ll continue to provide updates and offer assistance and resources to help you become GDPR compliant as we advance towards the May 25th deadline!