If you do this, you violate the GDPR

• Inadequate protection of personal information of EU citizens, such as data leakage or ransomware attacks
• Use the personal assets of EU citizens, deviate from the agreed purpose, or lack legitimacy
• Failing to give the individual parties their due rights
• Failure to adopt sufficient security technology to protect personal data, or fail to save historical records of the use of personal data

In China and Taiwan, organizations in the following three situations will be affected by GDPR:

• The company has subsidiaries, branches, sales offices and representative offices in the EU
• The company provides goods and services from China and Taiwan to the EU
• Entrusted to process personal data from the European Union (data center business entities, cloud providers, etc.)

For example, if you set up a branch or sales office in the European Union and hire local employees as employees, you need to take measures to protect employees' personal data in accordance with the GDPR. Many companies have developed personal information protection management measures in accordance with the EU Data Protection Directive enacted in 1995. Therefore, prior to the implementation of GDPR in 2018, stricter correspondence education is necessary.

In addition, even if you do not have an overseas base, EU residents will enter the name, phone number, credit card number, etc. when purchasing products from the Chinese and Taiwanese websites, which must also meet the GDPR.

How should companies respond under GDPR?

The GDPR has caused a lot of discussion because of the data that will be used in the digital advertising ecosystem, such as cookies, IP, device identification codes (including Google Advertising ID (AAID) for Android, advertising ID for iOS devices (IDFA), Device Fingerprint is counted), geographic location (GPS coordinates, or geographic area known by IP reverse inference), etc. are all classified as personal privacy data of EU citizens. Therefore, in order to meet GDPR regulations, the website owner must inform and seek the consent of the website visitors.

1. Content preparation: the company's GDPR description text is clear and clear

• The internal "service agreement" and "privacy clause" of the enterprise need to be adjusted accordingly to the GDPR, and a rule description document suitable for the enterprise's own situation should be formulated.
• Clearly indicate the data that the company will collect, use, and the user's license or rights to revoke the license.
• Guarantee the multi-language version, do not use different languages, etc., to obtain the user's permission by vague regulations.

2. New users: clearly inform the rights and interests of the form entry

• Set up an obvious notification window for all data collection entrances such as subscription and registration.
• The location is eye-catching and the content is clear and clear.
• There can be no automatic check of mandatory consent, and it can be used only after obtaining the user's subjective permission.

3. Existing members: users complete authorization independently.

• Send permission application emails to all existing member users. Unauthorized users will continue to send it after three days and get authorization as soon as possible. (Email template can directly use background template)
• The user clicks the "DO IT NOW" button in the email to jump to the "GDPR" authorization link.
• There can be no automatic check of mandatory consent, and it can be used only after obtaining the user's subjective permission.

4. Existing members: Allow to revoke or modify authorization at any time

• For users who have not clearly responded to whether they are authorized or not, as well as users who have been permitted, in each subsequent email push, it is necessary to set an obvious revocation permission flag.
• Allow users to cancel authorization at any time.
• Allow users to modify the content of personal messages at any time.