13.05.18 | 0 Comments|
The amount of data individuals have been sharing on the internet is increasing with every passing year. Be it our travel photos, contact data, corporate emails, or credit card information, we put it all up there, with the hope that it reaches only the intended receiver and that they only use it for the proclaimed purpose. Companies dealing with this abundance of data claim to only use it to create a personalized and more engaging customer experience, but the European Union finally decided to stop just taking their word for it. That’s why the European Parliament and Council came up with the General Data Protection Regulation, also known as GDPR, to enforce privacy and data protection laws and policies on companies dealing with data of EU citizens.
GDPR is a privacy and data protection regulation that intends to give users control over their data and ensures that companies dealing with data of European citizens comply with certain rules and policies. Every citizen will now have the right to be forgotten, the right to consent to use of their data, the right to seek damages in case of a data breach and the right to limit the usage of their data etc. GDPR was adopted on April 27, 2016 and following a 2-year transition period, it is set to go into full effect on 25 May, 2018. The GDPR acts as the successor to the Data protection directive.
Even though GDPR protects the data and rights of EU citizens, it knows no geographical bounds. This means that even if your company isn’t based in the EU, but it offers products or services to citizens of the EU (including immigrants and visitors) or collects/deals with their data in any form, you will have to seek GDPR compliance. To put this in perspective, consider an example: Suppose you have a website that’s accessible by people from all over the world, including the European citizens and you have a lead capturing form on the website which you use to get important contact information. Even if currently none of your customers are from EU, there is still a possibility that you might get a new lead from Europe in the future; this means that you also need to do your GDPR compliance homework. Having said that, Gartner’s prediction that more than half of the companies affected by GDPR will not have attained compliance by the end of 2018 sounds like a frightening omen.
Under GDPR, users will have:
Now that we have seen the extent of the rights a user will have under GDPR, let’s see exactly how companies will get affected:
One of the most important GDPR implications is the change in the way companies perceive and handle user consent. GDPR has laid a lot of stress on the importance of user consent and has given tangible control over the data back to the users. Under GDPR, companies can’t use pre-ticked boxes as before and therefore a user needs to explicitly provide their consent every single time. Companies will also have to segregate their consent requests or forms from other terms and conditions so that they never get overlooked. Evidence of the attainment of consent also needs to be kept by the companies which can later be used to signify the who, when, how and what regarding the consent.
The data privacy and protection compliance ensured by GDPR is extended from the beginning of the lifecycle of the product or service to the point where it’s ready for delivery. Every company needs to be able to give substantial proof of their compliance to this rule (Article 25 of GDPR states: An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article).
The one stop shop principle is an important component of the GDPR. It entails that all companies will only have to show proof of compliance to one supervisory authority. In some situations, local authorities might also have to intervene for cooperation with the former. This is good news for companies doing business in more than one member state because it’s cheaper to have one supervising body for all the states than to have one for each.
A DPO or data protection officer is not needed by all companies but in the following three situations, one such designation is mandatory (According to article 37 of GDPR):
The territorial scope of GDPR is not defined by geography but by the data. In simpler words, it means that even if your company isn’t located in the EU, if it offers products or services to citizens in the EU, all of the rules apply to you.
In case a data breach occurs, a company needs to inform all of the effected users within 72 hours of discovering the breach along with its supervisory authority. If the breach is expected to affect the rights and privacies of the effected users severely, then you need to also make the individuals aware of the full extent of possible damages. If you fail to notify a breach for whatever reason, then you could be fined up to 10 million Euros or 2% of your global turnover.
The next natural question popping up in your mind right now could be something like, “What should I do to be prepared?” Well, here are the steps that we think you should be taking right away:
GDPR is set to change the overall outlook of the internet. The most visible changes will be the ones regarding consent as users will be presented with more and more popups for explicit consent acquisition. Additionally, more and more companies will provide users with the ability to download all the data a company has on them. The top email marketing platforms like AWeber and ActiveCampaign will provide companies the ability to keep their customer engagement efforts ongoing without disrupting their GDPR compliance or violating any user rights. After GDPR, there will be stricter consequences if you send a newsletter to a person who explicitly opted not to receive it.
Most of the changes however will be happening behind the scenes. In the past, companies have been known to share data without any legal repercussions but GDPR is set to enforce a few laws on data sharing, analytics and advertising. Specifically the companies that received user data from another company (and not directly from the user) will now have a lot of transparency and consent laws to abide by.
90% of all the data that is currently present on the internet has been created since 2016 and with that in mind, saying that GDPR was a need of the hour isn’t an overstatement. After it gets enforced on May 25, 2018, GDPR is set to change the way companies obtain, store and deal with user data, making life a bit harder and precautionary for them. The main objective of GDPR was to protect user data and to give EU citizens significantly more control over their data, and it’s set to do just that.