The European Union is introducing a new law that will affect almost every business that collects or processes the data of customers in the EU.
The law, commonly known as GDPR, was passed by European Parliament on April 2016 and is set to take effect on May 25. Companies that fail to comply are at risk of paying exorbitant fines.
Don’t panic though – in this post, we’ll cover everything you should know about GDPR, from the details and reasoning behind the law to actionable steps your business can take towards compliance.
What is GDPR?
GDPR stands for General Data Protection Regulation, EU’s new standard for securing consumer privacy and data. GDPR aims to prevent companies from misusing data while providing greater transparency and rights for the end users.
What key changes will GDPR bring?
First, GDPR creates stronger protections for consumers. Europe has a more serious view of privacy, and with the new law, consumers will be able to:
- Access personal data collected by companies
- Request the removal and erasure of personal data
- Refuse companies from processing personal data
- Export personal data to a machine-readable format
Second, GDPR enforces stricter requirements on businesses. Companies must:
- Protect user information using appropriate security measures
- Clearly notify consumers of data collection practices
- Educate and train employees on GDPR
- Employ a Data Protection Officer (if necessary)
- Explain purposes for data collection and deletion
- Notify authorities of data breaches within 72 hours
Who does GDPR apply to?
There’s a common misconception that GDPR only applies to companies based in the EU. In reality, GDPR affects any company that collects, stores or processes information of customers in the EU. Essentially, GDPR affects all businesses that market through the web, even if a financial transaction did not take place.
Websites with generic marketing copy may be exempt, as long as the website targets U.S. consumers. Business websites that target users with localized language settings or European domain suffixes (such as .nl or .de) would fall under GDPR.
Finally, GDPR applies to both data controllers and processors. Existing laws before GDPR only applied to controllers. Companies like Facebook and Google collected information on EU customers but escaped regulation by processing the data outside of the EU. GDPR is stricter and will apply to any business that collects and processes customer information, such as cloud service firms.
What will happen to companies that don’t comply?
Punishment for breaching GDPR can cause a significant hit to a business’s bottom line. Organizations caught violating GDPR are subject to a fine: 4% of annual turnover, or 20 million euros (roughly 24 million dollars), whichever one is higher.
Lesser punishments (2% of turnover) are also carried out for failing to notify customers of a breach, or the lack of explanation for data collection.
What should I do to prepare?
Meet with key stakeholders.
Organize a meeting with high-level leaders- not just within the IT department, but from marketing, finance, sales, and so on. The more opportunity a team has to chime in on collection and processing techniques, the more accurate the assessment of the situation. Educate the team on the requirements, then get plenty of feedback for your planning phase.
Evaluate your risk and audit processes.
Once the whole team is on the same page, start developing an assessment of your existing practices. Do you have customer surveys on the website? Do you run ad campaigns based on user behavior? Or perhaps your website may be aimed towards some EU customers? Make a list of areas that need updating or tweaking as well as software programs that store personally identifiable information (PII). It’s better to know what you don’t know than to be completely clueless once the law takes effect.
Hire a Data Protection Officer (DPO)
GDPR states businesses must hire a DPO, but it makes no mention of appointing an existing member or outsourcing the role online. Regardless of which method your business chooses, a DPO can help develop a cohesive plan for the brand, managing all the technical aspects that leaders from different departments may miss.
Revisit your brand Terms and Agreements, marketing consent requests
Check any legalese on the website, marketing communications, documents, and sign up forms for outdated language. Most importantly, implement measures that clearly indicate why the business intends to collect data, and how it will collect and process data.
Implement stronger security protocols
Update all software, processes, and tools to create a more secure customer experience. In a post-GDPR era, businesses can no longer leave consumer data as a backlogged task- it needs to take priority. That means preventing security breaches where possible, hiring more developers, using encrypted communications, and limiting the third-party access of personal data.
Practice security breach responses
Simulate a data breach or hack within your organization’s data. How will your business respond? How can it prevent such an event? Develop clear guidelines and distribute them to every team member. When GDPR takes effect, businesses will need to notify customers within three days- that includes crafting press communications, testing backup processes, and preventing future breaches.
Report your compliance progress
Article 30 of GDPR, also known as Record of Processing Activities (RoPA) focuses on outlining all high-risk applications. This list will be key to understanding how the brand uses data and is the best way of demonstrating compliance.
What should I expect on May 25?
Of all the things we’ve learned about GDPR, the one thing still left unclear is how strictly businesses outside the EU will be regulated. Larger businesses with multimillion-dollar revenues may be targeted more frequently compared to smaller firms, but the regulation will apply across the board.
Don’t worry if you still feel like there’s a lot to do because you’re not alone. According to a Solix Technology survey back in December, 22% of organizations were “unaware that they must comply with GDPR.” 66% were unsure if they could purge consumer data forever.
But if you wish to continue reaching an audience in Europe, your business needs to take on a new mentality- one that prioritizes customer privacy. Once your whole team is fully aware of GDPR and you have a risk assessment as well as a timeline, everything else lies in the execution.
Keep an eye out for this page. We’ll continue to update it as more news, case studies, and information arrives.