Skip to Content
Main Content

Hiker Looking Out Over Mountains

4 Minute Read | March 14, 2018

A Quick Look at GDPR and How it Will Impact Your Organization

What is the General Data Protection Regulation (GDPR)?

GDPR is a new set of EU regulations going into effect on May 25, 2018. It provides citizens (and potentially non-citizen residents) of the European Union greater protections and rights pertaining to what companies can do with their personal information. The primary objective of GDPR is to protect individuals by reducing the amount of personal data available to organizations, and to provide them additional control over that data. Once this law goes into effect, the penalties for non-compliance increase significantly, and care has been taken to make these penalties enforceable globally.

I don’t live in the EU, does the GDPR still affect me?

Yes. Any website anywhere that collects and uses personally identifiable information about an individual residing in the EU must comply with GDPR. The regulation states that penalties are enforceable regardless of the country in which the company using the data operates.

What is considered personal data?

The EU GDPR laws apply quite broadly. The legislation defines “personal data” as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.” This information includes, but is not limited to:

  • Name
  • Photos
  • Email address
  • Location information
  • Identification Numbers
  • Bank Information
  • Social Media posts
  • Medical information
  • IP Addresses

Consider Requests for Personal Data

GDPR grants users the ability to access their data in several ways, including:

  • Requesting corrections to their data
  • Removal of their information, or
  • Requesting to review the personal information collected.

A user requesting such information must provide the site operator with details necessary to identify that user. Be prepared for such requests; Determine what information you require to verify individual identify and locate their information within your systems.

What web features are subject to the GDPR rules?

  • Web forms that collect personally identifiable information.
  • Features tracking IP address, session ID, or other unique identifiers that can be tied back to an individual.
  • Meta tag snippets that contain tracking code that collects personal information on users, such as Google Analytics.
  • Third-party integrations, including CRMs, marketing automation tools, and ERP systems.

What do I need to do?

Your responsibility for maintaining GDPR compliance will vary based on the nature of your business, target markets, and data collection methods your organization has implemented. The GDPR has many requirements about how to collect, store, and use personal data. Take these steps to evaluate your data’s compliance with the new regulations:

1. Awareness

Educate your organization on GDPR compliance requirements and appoint a primary point of contact for digital privacy related enforcement and education.

2. Audit

Review all systems within your organization that collect or process end user data. This is not limited to your website platform. Consider CRMs, ERP Systems, Marketing Automation tools, and more.

3. Transparency

Disclose to end users what information you are collecting, why you are collecting it, and who they can contact with questions. This is often done through a privacy policy.

4. Management

Review your procedures pertaining to the collection, storage, and processing of personal data falling under GDPR. Be mindful of the new data retention regulation and set up periodic reviews and audits of your data.

5. Respond

Set policies and processes for effectively and appropriately reporting data breaches pertaining to data falling under GDPR. Be able to easily extract user data from your database.
 


Northwoods and CookiePro by One Trust can help you streamline cookie consent to meet both current and future privacy laws. Find out how.


Do I need to obtain consent before collecting personal data?

Yes. The GDPR requires that before collecting or processing personal data, controllers must have a specific legal basis to do so. Organizations must provide:

  • What data is being collected
  • What the data will be used for
  • Who has access to the data
  • How long the data will be kept
  • Who to contact with concerns

Acquiring agreement could be as simple as including a checkbox on a form that requires users to confirm consent to the collection and storage of information before they can submit their requests. It must also be easy to remove that consent if requested.

What information should my privacy policy include?

It is important to remain transparent in the personal data you collect and how you intend to use that information. Many users are concerned that their data will be sold to other companies or kept in an unsecure environment. Put their minds at ease with an updated privacy policy that includes the following:

  • Identity and contact details of data controller
  • Purpose of data processing and legal basis
  • When and how personal information is shared
  • Information collected that could be personally identifiable
  • Information you do not collect from end users
  • Relationships that may result in data transfer to third parties
  • Safeguards to protect data
  • Cookie Use and Purpose
  • Data Retention Procedures

What happens if I am not compliant with GDPR regulations?

GDPR penalties fall into two tiers, depending on the severity of the infraction:

  • Tier One
    • Two percent of global annual revenue, or
    • Ten Million Euro
  • Tier Two
    • Four percent of global annual revenue, or
    • Twenty Million Euro

The tier applied will depend on the nature, duration, and severity of non-compliance, including:

  • Was the non-compliance intentional or negligent?
  • How many data subjects were impacted?
  • How many data subjects were impacted?
  • What was the duration of the infringement?
  • Were data prevention mechanisms in place?
  • Does the data controller follow basic GDPR requirements?
  • Are privacy policy and requests for consent adequately transparent?
  • Are there prior infringements form the data controller or data processor?
  • Did the data controller or data processor cooperate with regulators?
  • Was the infringement reported voluntarily or under duress?
 

Authored By

Jenna Dehn

Jenna Dehn

UX Practice Lead

hand-drawn owl

Get Expert Tips

3610610/Blog/A-Quick-Look-at-GDPR-and-How-it-Will-Impact-Your-Organization4
<h2>What is the General Data Protection Regulation (GDPR)?</h2> <p>GDPR is a new set of EU regulations going into effect on May 25, 2018. It provides citizens (and potentially non-citizen residents) of the European Union greater protections and rights pertaining to what companies can do with their personal information. The primary objective of GDPR is to protect individuals by reducing the amount of personal data available to organizations, and to provide them additional control over that data. Once this law goes into effect, the penalties for non-compliance increase significantly, and care has been taken to make these penalties enforceable globally.</p> <h2>I don’t live in the EU, does the GDPR still affect me?</h2> <p>Yes. Any website anywhere that collects and uses personally identifiable information about an individual residing in the EU must comply with GDPR. The regulation states that penalties are enforceable regardless of the country in which the company using the data operates.</p> <h2>What is considered personal data?</h2> <p>The EU GDPR laws apply quite broadly. The legislation defines “personal data” as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.” This information includes, but is not limited to:</p> <ul> <li>Name</li> <li>Photos</li> <li>Email address</li> <li>Location information</li> <li>Identification Numbers</li> <li>Bank Information</li> <li>Social Media posts</li> <li>Medical information</li> <li>IP Addresses</li> </ul> <h2>Consider Requests for Personal Data</h2> <p>GDPR grants users the ability to access their data in several ways, including:</p> <ul> <li>Requesting corrections to their data</li> <li>Removal of their information, or</li> <li>Requesting to review the personal information collected.</li> </ul> <p>A user requesting such information must provide the site operator with details necessary to identify that user. Be prepared for such requests; Determine what information you require to verify individual identify and locate their information within your systems.</p> <h2>What web features are subject to the GDPR rules?</h2> <ul> <li>Web forms that collect personally identifiable information.</li> <li>Features tracking IP address, session ID, or other unique identifiers that can be tied back to an individual.</li> <li>Meta tag snippets that contain tracking code that collects personal information on users, such as Google Analytics.</li> <li>Third-party integrations, including CRMs, marketing automation tools, and ERP systems.</li> </ul> <h2>What do I need to do?</h2> <p>Your responsibility for maintaining GDPR compliance will vary based on the nature of your business, target markets, and data collection methods your organization has implemented. The GDPR has many requirements about how to collect, store, and use personal data. Take these steps to evaluate your data’s compliance with the new regulations:</p> <p><strong>1. Awareness</strong></p> <p>Educate your organization on GDPR compliance requirements and appoint a primary point of contact for digital privacy related enforcement and education.</p> <p><strong>2. Audit</strong></p> <p>Review all systems within your organization that collect or process end user data. This is not limited to your website platform. Consider CRMs, ERP Systems, Marketing Automation tools, and more.</p> <p><strong>3. Transparency</strong></p> <p>Disclose to end users what information you are collecting, why you are collecting it, and who they can contact with questions. This is often done through a privacy policy.</p> <p><strong>4. Management</strong></p> <p>Review your procedures pertaining to the collection, storage, and processing of personal data falling under GDPR. Be mindful of the new data retention regulation and set up periodic reviews and audits of your data.</p> <p><strong>5. Respond</strong></p> <p>Set policies and processes for effectively and appropriately reporting data breaches pertaining to data falling under GDPR. Be able to easily extract user data from your database.<br> &nbsp;</p> <hr> <h5><strong>Northwoods and CookiePro by One Trust can help you streamline cookie consent to meet both current and future privacy laws. <a href="/Privacy" linktype="2" target="_self">Find out how</a>.</strong></h5> <hr> <h2><br> Do I need to obtain consent before collecting personal data?</h2> <p>Yes. The GDPR requires that before collecting or processing personal data, controllers must have a specific legal basis to do so. Organizations must provide:</p> <ul> <li>What data is being collected</li> <li>What the data will be used for</li> <li>Who has access to the data</li> <li>How long the data will be kept</li> <li>Who to contact with concerns</li> </ul> <p>Acquiring agreement could be as simple as including a checkbox on a form that requires users to confirm consent to the collection and storage of information before they can submit their requests. It must also be easy to remove that consent if requested.</p> <h2>What information should my privacy policy include?</h2> <p>It is important to remain transparent in the personal data you collect and how you intend to use that information. Many users are concerned that their data will be sold to other companies or kept in an unsecure environment. Put their minds at ease with an updated privacy policy that includes the following:</p> <ul> <li>Identity and contact details of data controller</li> <li>Purpose of data processing and legal basis</li> <li>When and how personal information is shared</li> <li>Information collected that could be personally identifiable</li> <li>Information you do not collect from end users</li> <li>Relationships that may result in data transfer to third parties</li> <li>Safeguards to protect data</li> <li>Cookie Use and Purpose</li> <li>Data Retention Procedures</li> </ul> <h2>What happens if I am not compliant with GDPR regulations?</h2> <p>GDPR penalties fall into two tiers, depending on the severity of the infraction:</p> <ul> <li>Tier One <ul> <li>Two percent of global annual revenue, or</li> <li>Ten Million Euro</li> </ul> </li> <li>Tier Two <ul> <li>Four percent of global annual revenue, or</li> <li>Twenty Million Euro</li> </ul> </li> </ul> <p>The tier applied will depend on the nature, duration, and severity of non-compliance, including:</p> <ul> <li>Was the non-compliance intentional or negligent?</li> <li>How many data subjects were impacted?</li> <li>How many data subjects were impacted?</li> <li>What was the duration of the infringement?</li> <li>Were data prevention mechanisms in place?</li> <li>Does the data controller follow basic GDPR requirements?</li> <li>Are privacy policy and requests for consent adequately transparent?</li> <li>Are there prior infringements form the data controller or data processor?</li> <li>Did the data controller or data processor cooperate with regulators?</li> <li>Was the infringement reported voluntarily or under duress?</li> </ul> <h5>&nbsp;</h5>
/Northwoods-2020/Hero-Images/Hiker-Looking-Out-Over-Mountains.pngHiker Looking Out Over MountainsJenna Dehn/Northwoods-2020/People/Jenna-Dehn.jpgWoman in front of a log cabin wall with soft, warm lighting<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script><script>hbspt.forms.create({ region: "na1", portalId: "23630176", formId: "40c5bbae-05a2-42ea-94dd-1662181fd56e" });</script>A Quick Look at GDPR and How it Will Impact Your Organization2018-03-14T00:00:00/Images/Blogs/NWS/GDPR.jpg?MediumGDPR is a new set of EU regulations going into effect on May 25, 2018. It provides citizens of the European Union greater protections and rights pertaining to what companies can do with their personal information. Discover what this law means for you and what you should be doing to remain compliant.3620813/People/Jenna-DehnJennaDehnUX Practice Lead<p>Jenna listens closely to understand clients&rsquo; goals and uncover solutions for their marketing and design challenges. She specializes in developing wireframes and prototypes with a strong focus on UX/UI and&nbsp;collaborates with Northwoods&#39; UX strategists&nbsp;to ensure that user research guides the design process. Jenna has a wealth of experience designing for data and creates stunning page layouts that showcase complex product information in a digestible format. She enjoys creating infographics, display ads, and illustrations that enrich marketing collateral and has a knack for using movement to bring websites to life. Away from Northwoods, Jenna enjoys downhill skiing, and her fuel of choice is Dr. Pepper. Be on the lookout for her cats Viper, Saber, and Flash, who are frequent guests during WFH calls.</p>Jenna Dehn/Northwoods-2020/People/Jenna-Dehn.jpgJenna DehnAdd-In Type - NWS Data ModulesCategory - NWS Data ModulesCommittee - NWS Data ModulesDivision - NWS Data ModulesEvent Audience - NWS Data ModulesEvent Service - NWS Data ModulesEvent Type - NWS Data ModulesLocality - NWS Data ModulesModule - NWS Data ModulesPackage Type - NWS Data ModulesPersonID - NWS Data ModulesJenna DehnProductVersion - NWS Data ModulesRecorded Webinar TopicsRegion - NWS Data ModulesSite Display - NWS Data ModulesSkillLevel - NWS Data ModulesTopic - NWS Data ModulesVideoAudience - NWS Data ModulesVideoClassification - NWS Data ModulesVideoStatus - NWS Data ModulesTeamAll StaffDesignersDevelopersAdd-In Type - NWS Data ModulesCategory - NWS Data ModulesCommittee - NWS Data ModulesDivision - NWS Data ModulesEvent Audience - NWS Data ModulesEvent Service - NWS Data ModulesEvent Type - NWS Data ModulesLocality - NWS Data ModulesModule - NWS Data ModulesPackage Type - NWS Data ModulesPersonID - NWS Data ModulesJenna DehnProductVersion - NWS Data ModulesRecorded Webinar TopicsRegion - NWS Data ModulesSite Display - NWS Data ModulesNWS DigitalSkillLevel - NWS Data ModulesTopic - NWS Data ModulesData & AnalyticsDigital AdvertisingDigital MarketingVideoAudience - NWS Data ModulesVideoClassification - NWS Data ModulesVideoStatus - NWS Data Modules02024-02-20T12:57:59.02000