You may have heard some of the buzz going around about the General Data Protection Regulations (GDPR) that will be enforced in the European Union starting May 25, 2018. This regulation looks to bring stricter policy to European data security. GDPR has been designed to protect the Personally Identifiable Information of citizens of the European Union. In short, a website cannot collect a website visitor’s information without their explicit consent, and that they must be notified of any data breaches that may occur.
While you may think that GDPR won’t affect your business in the United States, think again. If your company processes the personal data of subjects in the European Union, regardless of your company’s location, you must comply with these regulations. In other words, you are affected if you have an online presence for your business that can be accessed by anyone in the world.
Impacts for Savannah
The tourism industry remains one of Savannah’s largest economic drivers. According to Visit Savannah, tourists contributed almost $3 billion to our city in 2017. Savannah is a premier travel destination for people all over the world. More and more people are researching Savannah businesses on the web to figure out how to make the best of their vacation. They want to know where they are going to stay, what activities they can do, and which restaurants they should enjoy.
Travel and booking agencies want to pay special attention to the requirements of GDPR. These companies are commonly processing payments and collecting personal data about their customers as they go through the booking process. Here are the requirements your business must follow to be compliant.
- Increased territory
GDPR will be enforced for all companies that process the personal data of subjects living in the EU, regardless of the company’s physical location. It will also apply to companies that process personal data who offer goods or services to the EU citizens. - Penalties
Organizations in breach of GDPR can be fined. There is a tiered approach to distinguishing fines with the most being up to 4% of annual global turnover or 20 Million Euros (whichever is greater), for the most serious infringements. - Consent
Request for consent must now be easily accessible and clear to understand. It must also be just as easy to withdraw your consent. - Breach Notification
If a data breach occurs that may risk individual rights, then notification of the breach is mandatory in all member states and must be done within 72 hours of first becoming aware of the breach. - Right to access and to be forgotten
Data subjects have the right to obtain confirmation that personal data concerning them is being processed, where it’s being processed, and for what purpose. The subject also has a right to a copy of the data. Lastly, the subject has the right to request a withdrawal of their information being processed and for their data to be erased. - Design and Privacy
GDPR requires that the inclusion of data protection be included from the beginning of the designing of the system rather than be added on later.