What is GDPR?
GDPR is a set of privacy laws going into effect on May 25th, 2018, that forces businesses to be more transparent about the use of peoples' data, and respectful of peoples' rights to decide what, when, why, and how that data is used. It requires businesses to be transparent with people about what data they capture and store about a person, the granular ways in which they use that data, and how they achieve those purposes. It also grants people about whom the data is collected the right to deny storing or processing their data, as well as to request for a copy of the data, or request that the data be deleted.
GDPR achieves its ends in a few ways. It requires organizations that collect data about citizens of the EU, to be transparent and clear whenever they capture that information - about what data they capture and how they use it. It requires those organizations to obtain explicit consent from people for each use of their data, and to create systems through which a person can withdraw their consent at any time. Organizations can no longer use peoples’ data for purposes that they did not obtain consent for, and can no longer share data with undisclosed third parties. Finally, organizations are required to maintain a minimum standard of security to ensure that the data they store about people, is stored and processed securely at all times, to minimize the risk of it being compromised.
To ensure compliance with these laws, GDPR affords EU regulators with the ability to levy significant fines ($20M or 4% of annual revenue) against companies that do not abide by GDPRs mandates.
Why was GDPR enacted?
In the short few decades after the internet was commercialized, technology has transformed how we live and work. We search for answers to personal questions online, consume news and media that expose our private political and social affiliations, share personal messages, and shop for things that tell people who we are and what we like - all online, and all tracked by the businesses that help us do these things. In the process, these businesses capture our data, store it, use it, and often trade it in ways we have little consent or control over. As we’ve seen over the past few years, that data has often been lost or misused. The Equifax data breach demonstrated that even the largest companies can lack the basic safeguards necessary to protect even the most sensitive data they store about us, for which we often provided little to no consent to capturing and using in the first place. Meanwhile, social networks and search engines capture inordinate amounts of data about us, and use it to monetize us in ways not fully known to us.
Which businesses are bound by GDPR?
GDPR applies to you if you meet any of the following conditions:
- You have customers in the EU
- You provide services to (paid or free) to EU citizens
- You market to EU citizens
- You monitor the activities of EU citizens
If your business is exclusively local and external to the EU, you probably don’t have to worry about GDPR. A flower shop in rural Ohio that only markets and ships to the local town is unlikely to have to comply, even if someone from the EU stops by your website and ends up in your analytics solution.
But just because your business is small doesn’t mean GDPR doesn’t apply. A small-town SEO company that markets its services online and already has a few clients from a few other countries, even if it doesn’t target customers in the EU specifically, is likely to have to abide by GDPR because it could be envisioned that the SEO company would welcome business from European customers if it emerged.
Changes we have made to comply with GDPR
Our practices, policies, and products to fully adhere to GDPR’s mandates. Some of these include:
- We have amended our communication policies so that you only receive communications that you clearly consent to receiving, and that you have easy-to-use options to opt out of receiving those communications.
- We have published and made available a data processing agreement (DPA) that discloses and governs how we process the data that you provide to us for processing. This DPA can be obtained by emailing us at firstname.lastname@example.org, and will soon be available directly from Reeid’s website.
- There has never been any indication that our users’ data has been compromised - however, to ensure that your personal data is protected, our systems no longer store data we do not have consent, where it is required to provide you with service, or where we have legitimate interests, and we encrypt it whenever necessary to keep your privacy safe without compromising our ability to achieve one of the above purposes.
- To access, rectify or erase your data, to restrict or object to processing, or request to port data to a third party, you may contact us directly at email@example.com.
- We have appointed a Data Protection Officer. You may get in touch with our DPO by emailing to firstname.lastname@example.org
- We’re arranging similar GDPR-ready data processing agreements with our Vendors.