We’re down to less than two months before GDPR, the General Data Protection Regulation, takes effect on May 25.
It has been a long time coming, and by now your company should be well prepared with your data collection, handling, and storage processes to be sure they’re compliant. If not, don’t wait another minute to get moving.
While it may be a European law, with the greatest impact on EU-based organizations, it affects and applies to any company, anywhere, that processes data from citizens of the European Union. It has been crafted to give those citizens ultimate control of their personal data and to streamline the regulatory environment for companies doing business there.
GDPR addresses personal data, or any information relating to someone’s private, professional, or public life, such as a name, photo, email address, bank details, medical information, social networking posts, or even IP address. For example:
- Before your company can process any personal data, it must explicitly obtain clear and affirmative consent from the individual. For children under the age of 16, parental consent must be obtained.
- If a data breach occurs, you must report it within 72 hours to the protection authority. If there is a significant risk to customers, they must also be notified.
- Your company will be expected to maintain a clear audit trail and justify any security decisions you make regarding your data.
- Individuals will be empowered to request a copy of the personal data your business has on them and to have that information delivered in a format that is accessible for them.
If a company processes sufficiently large amounts of special categories of personal data, it is required to appoint a data protection officer, someone with expertise in the field and knowledge of the laws and regulations. Additional regulations apply to the data protection officer.
Burden or opportunity?
While all this may sound like one more regulatory burden on your organization, there are some who say that you shouldn’t look at GDPR that way, but rather as an opportunity to generate better data and handle it more carefully.
Because the regulations focus on first-party data, or data acquired directly from a customer, you should be generating higher quality data, since it was given voluntarily, with permission. And better data should – if your marketing department is doing it right – lead to better marketing strategies and tactics.
In addition, since GDPR necessitates a review of your data handling and processing procedures, it opens the door to better mapping and restructuring of your data flows and storage requirements for the sake of efficiency as well as compliance.
Better safe than sorry
Violations of GDPR are not taken lightly, and you will surely regret it if there is a data breach and your company is found in violation. You could be hit with a fine of up to four percent of your company’s annual global revenue, or 20 million euros, whichever is higher.
A fine like that, when you add in the costs of dealing with the data breach itself, could put a severe crimp in any organization’s operations.
But what if you’re a smaller company, based in the U.S., without operations in Europe, and you only sell your products to Europeans incidentally through your website? No matter. If Hans or Greta in Dusseldorf orders from your website, you are now subject to the GDPR. After all, you have their credit card information, address, and other personal data.
A few additional things you should keep in mind:
- While you may have been able in the past to remove an opt-out individual from your list but still keep their information on file, that won’t be allowed. Everything must go.
- There is a higher standard for consent, and you must always be clear and forthright about offering options to withdraw consent, as well as be very transparent about what someone is signing up for.
- GDPR is all about opt-ins. Say goodbye to the presumption that someone is opting in if they don’t proactively opt out.
Protection of individuals’ personal data is something that should have been a priority for any company all along. GDPR is there to make sure that is.
If your company has been treating customer data with the utmost care all along, and going to great lengths to protect that data and keep it from being hacked or stolen, then complying with GDPR shouldn’t be that big a deal. But if you’re not sure you are fully ready, do read the fine print between now and May 25. You’ll be glad you did.