UPDATED MAY 22
The increased focus on online privacy is demonstrated by the upcoming implementation of the General Data Protection Regulation (GDPR) in Europe. It comes into effect on May 25 and is expected to usher in a new era for consumer rights regarding data.
According to erwin Inc.’s 2018 State of Data Governance Report, only 6% of enterprises say they are prepared for the GDPR. If you find yourself lying awake at night grappling with undue anxiety about the challenges ahead, fear not! We’ve created this handy guide to all things GDPR to help you out!
What is the GDPR?
The GDPR is a sweeping legislation designed to give EU citizens increased control over their personal online data. Companies found in non-compliance risk fines of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
The regulations extend past EU borders
The GDPR legislation applies to any company providing goods or services to the EU market, even if your company isn’t physically present in the EU. This means that almost every major corporation in the world will need to be ready when GDPR comes into effect.
The GDPR applies to data already in use
The GDPR doesn’t just apply to data collected after May 25—it applies to all EU customer information currently in your database. What does this mean for your company? Because individuals must explicitly grant permission for your company to market to them, there’s a strong possibility that your contacts database in its current state may be rendered obsolete.
Obligations regarding data collection
The new regulations include key changes in privacy regulation in areas such as opt-in, communications, and data handling. The GDPR is not light reading, and it’s important to know which Articles apply to your business and/or industry.
When it comes to data collection, companies will first have to determine if they are a data controller or a data processor. Data controllers review and aggregate customer data— they determine how and why personal data is processed. In plain English, this is the party with which the customer exchanges his or her personal data to receive goods and services. Data processors deliver the tools to collect the data and handle the data processing on behalf of the controller. Market research companies or “Cloud” providers would be considered data processors.
Let’s look at some of the obligations for data collection.
The GDPR requires your company to ask consumers for explicit consent to start collecting their data. The good old days of consumers ticking a box to provide consent are over.
The new approach to consent requires that requests:
- Are specific and easy to understand
- Explain what data your company will be collecting, why you’re collecting it, and how long you’ll keep the data
- State the name of any third parties who will have access to the information
- Inform consumers that they can withdraw their consent at any time
Once the consumer provides consent, it’s your company’s responsibility to keep the records of consent. If your company decides to use the customer data for another purpose not outlined in the consent request, it’s your responsibility as the data controller to update the consent request accordingly and resubmit the request to the consumer. Article 17 states that the consumer has the right to withdraw their consent at any time and you will be required to immediately stop collecting and processing their data. This will be particularly challenging because it means that marketers will need to provide proof that they can extract and remove consumers’ personal data if the term for consent expires, or if the consumer withdraws consent.
What about the obligations regarding data processing?
Article 5 states that the controller is responsible for processing data lawfully and transparently, ensuring data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data. Data controllers are also responsible to demonstrate compliance and accountability.
The GDPR is tightening regulations governing data processors as well. Article 28 states, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” This means that EU or non-EU controllers or processors must implement the necessary controls to ensure that they comply with the GDPR because both controllers and processors will be subject to fines for non-compliance.
In the event of a data breach, companies are obliged to inform the relevant supervisory body within 72 hours of the company first becoming aware of it. If the breach is serious enough to mean customers or the public must be notified, GDPR legislation says customers must be alerted without 'undue delay' via a one-to-one correspondence.
The GDPR might initially appear to be a headache. However, proper preparation will not only resolve most of problems the new regulations will present, it will help you avoid potentially large penalties and a high probability of brand damage.
Need help evaluating your company’s readiness for the GDPR? Drop us a line.