What is GDPR and how will it impact your business?
Over the past few years, the internet has drastically changed the way we communicate and how we handle our everyday tasks.
We send emails, share documents, pay bills and purchase goods online on a daily basis; entering our personal details without a second thought.
But have you ever stopped to think about how much personal data you have shared online? Or what happens to that information once you have shared it?
Your banking information, contacts, addresses, social media posts and even your IP address and the sites you have visited are all stored digitally.
Companies tell you that they collect your personal information so that they can serve you better, offer you more target and relevant communications, and provide you with an overall better customer experience.
But you may wonder, is this what they really use the data for?
This is the question that was posed by the EU. As a result, on 25th May 2018, a new European privacy regulation called GDPR will be enforced and will permanently change the way you collect, store and use customer data.
Dell and Dimension Research carried out a study of more than 800 IT and business professionals that are responsible for data privacy at companies with European customers and found that 80% of businesses know few details or nothing about GDPR.
Furthermore, the study found that a shocking 97% of companies don’t have a plan in place for when GDPR kicks off in 2018.
In this article, we will explain what GDPR is, how it will impact your business and offer some practical tips to help you be prepared for when GDPR comes into effect on the 25th May.
What is GDPR?
On 25th May 2018, a new European privacy regulation called The General Data Protection Regulation (GDPR) will come into effect.
This regulation will be applied in all local privacy laws across the entire EU and EEA region. It will apply to all companies selling to and storing personal data about citizens in Europe, including companies on other continents. GDPR will provide citizens of the EU and EEA with more control over their personal data and the assurance that their information is being securely protected across Europe.
According to the GDPR directive, personal data is any information related to a person such as a name, photo, email address, bank details, updates on social networking websites, location details, medical information, or an individual’s computer IP address.
There is no distinction between personal data about individuals in their private, public or occupational roles. Also, in a B2B setting, where customers are obviously companies, the people that handle business relationships and data are also classified as “individuals”.
So, under GDPR, individuals have:
- The right to access – this means that individuals have the right to request access to their personal data, and to ask how their data is used by the organisation once it has been gathered. If an individual requests a copy of their personal data, the organisation must provide this free-of-charge and in an electronic format (if the individual asks for it in this format).
- The right to be forgotten – if a consumer is no longer a customer, or if they withdraw their consent from a company to use their personal data, then they have the right for their information to be deleted.
- The right to data portability – individuals have the right to transfer their data from one service provider to another. This must happen in a commonly used and machine-readable format.
- The right to be informed – this covers the gathering of data by companies, and individuals must be informed before any data is gathered. Consumers have to opt-in for their data to be gathered, and consent must be freely given rather than implied.
- The right to have information corrected – this ensures that individuals can have their data updated or amended if it is out-of-date, incomplete or incorrect.
- The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
- The right to object – this includes the right of individuals to stop organisations processing their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very beginning of communication.
- The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
The GDPR is the EU’s way of giving individuals, prospects, customers, contractors and employees more control over their data and less control to the organisations that collect and use data for financial gain.
What are the business implications of GDPR?
GDPR puts the consumer in control of their data, and the task of complying with this regulation falls upon businesses and organisations.
Simply put, GDPR applies to all businesses and organisations established in the EU, regardless of whether the data processing takes place in the EU or not, and even non-EU established organisations will be subject to GDPR. If your business offers goods or services to citizens in the EU, then you are subject to GDPR.
There are strict penalties for companies who don’t comply with GDPR with fines of up to 4% annual global revenue or 20 million Euros – whichever is greater. To be sure that you are operating in accordance with GDPR we would recommend that you appoint a data protection officer or data controller who is in charge of GDPR compliance.
Many people see GDPR as strictly an IT issue, but that is not the case. GDPR has broad-sweeping implications for the whole organisations, including the way in which companies handle marketing and sales activities.
How will GDPR impact customer engagement?
The conditions for obtaining consent are much stricter under GDPR requirements as the individual must have the right to withdraw consent at any time, and there is a presumption that consent will not be valid unless the individual gives consent for each separate processing activity undertaken by your organisation. This means that you need to be able to prove that the individual agreed to a certain action, to receive your organisation’s promotional emails for example.
This means that there will be significant changes for your organisation and the way you manage your marketing and sales activities. Your organisation will need to review your business processes, applications and website forms to be compliant with double opt-in rules and email marketing best practices. In order to sign up for communications, prospects will have to complete a form or tick a box and then confirm it was their intended action in a further email.
Your organisation must prove that consent was given in a case where an individual objects to receiving the communication. This means that any data that you hold must have an audit trail that is time stamped, and reporting information that provides the details what the contact opted into and how.
If you purchase marketing lists, you are still responsible for getting the proper consent information, even if an outsourced partner was responsible for gathering the data.
Typically, in the B2B world, salespeople meet potential customers at industry events, such as trade shows; they exchange details and then add this information to their company’s mailing list. In 2018, this will not be possible anymore and companies will need to look at new ways of collecting customer information.
Getting prepared for May 2018
A key component of the GDPR legislation is privacy by design.
Privacy by design requires that all departments in your organisation look closely at your data and how you handle it. There are many things that you will need to do in order to be GDPR compliant.
Here are just a few of the first steps to help you get started:
1. Map your company’s data
Make sure that you map where all of the personal data in your business comes from and document exactly what you do with the data. Identify where the data resides, who can access it, and if there are any risks to the data.
2. Establish what data you need to keep
Don’t keep more information than necessary, and remove any data that you don’t need to use. If your organisation currently collects a lot of data without any real benefit, you won’t be able to continue doing this under GDPR. GDPR will encourage a more disciplined treatment of personal data, so this will require a clean-up on your part.
When cleaning-up data, ask yourself:
- Why exactly are we archiving this data rather than just erasing it?
- Why are we saving this data?
- What are we trying to achieve through collecting all these categories of personal information?
- Is the financial gain of deleting this information greater than encrypting it?
3. Implement security measures
Develop and put into place safeguards throughout your infrastructure to help contain any data breaches. This means implementing security measures to guard against any potential data breaches, and taking fast action to notify individuals and authorities if a data breach does occur.
Make sure that you establish protocols with your suppliers too. Outsourcing doesn’t exempt you from being liable. You need to make sure that any suppliers have implemented the right security measures too.
4. Review your documentation
Under GDPR, individuals have to explicitly consent to the acquisition and processing of their data, and pre-ticked boxes and implied consent will not be acceptable anymore. You will need to review all of your privacy statements and disclosures and adjust them where needed.
5. Set up procedures for handling personal data
As we discussed earlier, individuals have 8 basic rights under GDPR.
You will need to establish policies and procedures for how you will handle each of these situations.
- How can an individual give consent in a legal manner?
- What is your process if an individual wants their data to be deleted?
- How will you ensure that it is done across all platforms and that it is definitely deleted?
- How will you transfer an individual’s data if they request it?
- How will you confirm that the individual that has requested to have their data transferred is who they claim to be?
- What is the communication plan in case of a data breach?
Data is a valuable currency in the business world, and while GDPR creates new challenges for businesses, it also creates new opportunities.
Companies that demonstrate that they value an individual’s privacy, who are transparent about how the data is used, who design and use new and improved ways of managing customer data will be able to build deeper trust and retain more loyal customers.
The May 2018 deadline is now just around the corner, and if you haven’t already started in getting your organisation GDPR compliant, now is definitely the time to do so!
Dedicate time to understand all that you need to do to become compliant, and use the practical tips in this article to help get you started. Then, create a strategic plan of action to become GDPR compliant so that when May 2018 comes you will be ready and able to answer all of your customers’ questions regarding compliance.
If you need more information about how GDPR affects your customer data, or if you have are concerns that your organisation is not compliant, then contact us today.