What Is GDPR And How Will It Affect Your Business?
The amount of data individuals have been sharing on the internet is increasing with every passing year. Be it our travel photos, contact data, corporate emails, or credit card information, we put it all up there, with the hope that it reaches only the intended receiver and that they only use it for the proclaimed purpose. Companies dealing with this abundance of data claim to only use it to create a personalized and more engaging customer experience, but the European Union finally decided to stop just taking their word for it. That’s why the European Parliament and Council came up with the General Data Protection Regulation, also known as GDPR, to enforce privacy and data protection laws and policies on companies dealing with data of EU citizens.
What is GDPR?
GDPR is a privacy and data protection regulation that intends to give users control over their data and ensures that companies dealing with data of European citizens comply with certain rules and policies. Every citizen will now have the right to be forgotten, the right to consent to use of their data, the right to seek damages in case of a data breach and the right to limit the usage of their data etc. GDPR was adopted on April 27, 2016 and following a 2-year transition period, it is set to go into full effect on 25 May, 2018. The GDPR acts as the successor to the Data protection directive.
Even though GDPR protects the data and rights of EU citizens, it knows no geographical bounds. This means that even if your company isn’t based in the EU, but it offers products or services to citizens of the EU (including immigrants and visitors) or collects/deals with their data in any form, you will have to seek GDPR compliance. To put this in perspective, consider an example: Suppose you have a website that’s accessible by people from all over the world, including the European citizens and you have a lead capturing form on the website which you use to get important contact information. Even if currently none of your customers are from EU, there is still a possibility that you might get a new lead from Europe in the future; this means that you also need to do your GDPR compliance homework. Having said that, Gartner’s prediction that more than half of the companies affected by GDPR will not have attained compliance by the end of 2018 sounds like a frightening omen.
Specifically what rights will the users have?
Under GDPR, users will have:
- The right to be forgotten: If a user has not been a customer at a business for a specific period of time, or if they have decided to retract the consent to their data from a business for whatever reason, then they possess the right to get their data deleted and be categorically forgotten. This includes erasure from all data sources including any and all backup storages.
- The right to access: GDPR allows users to reserve the right to request access to their data that is maintained by a company at any times. They can also ask how and why the company is using their personal data. Once requested, a company will be required to produce an exact copy of all the user data, devoid of any charge.
- The right to be informed: Whenever a company is gathering any data related to a user, it needs to inform the subject beforehand and seek explicit consent from them. A company can’t assume user consent and any data gathered without freely obtained consent can lead to hefty fines.
- The right to data portability: Users also possess a right to request the transfer of their data from one service provider to another. The transferred data has to be in a common format that is easy to deal with for the receiver.
- The right to restrict data processing: Users can also request companies to cease the processing of their data. The company can maintain the data in their storage but will have to stop using it completely.
- The right to get information rectified: If a user believes that their data is either obsolete or incomplete or erroneous, they reserve the right to get it rectified.
- The right to data breach notification: Individuals also have a right to get notified by a company in case a data breach occurs which compromised their personal data. The breached company needs to inform all the effected users within 72 hours of first knowing about the breach.
- The right to object: In case a person doesn’t want their data to be used for direct marketing, a company has to oblige. As soon as a company receives such a request, it’s required to cease all direct marketing efforts without any exceptions. Moreover, it’s a company’s responsibility to explicitly state this right to every customer before every interaction.
Now that we have seen the extent of the rights a user will have under GDPR, let’s see exactly how companies will get affected:
How will businesses be affected?
One of the most important GDPR implications is the change in the way companies perceive and handle user consent. GDPR has laid a lot of stress on the importance of user consent and has given tangible control over the data back to the users. Under GDPR, companies can’t use pre-ticked boxes as before and therefore a user needs to explicitly provide their consent every single time. Companies will also have to segregate their consent requests or forms from other terms and conditions so that they never get overlooked. Evidence of the attainment of consent also needs to be kept by the companies which can later be used to signify the who, when, how and what regarding the consent.
2. Protection by design:
The data privacy and protection compliance ensured by GDPR is extended from the beginning of the lifecycle of the product or service to the point where it’s ready for delivery. Every company needs to be able to give substantial proof of their compliance to this rule (Article 25 of GDPR states: An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article).
3. The one stop shop principle:
The one stop shop principle is an important component of the GDPR. It entails that all companies will only have to show proof of compliance to one supervisory authority. In some situations, local authorities might also have to intervene for cooperation with the former. This is good news for companies doing business in more than one member state because it’s cheaper to have one supervising body for all the states than to have one for each.
4. Data protection officer (DPO):
A DPO or data protection officer is not needed by all companies but in the following three situations, one such designation is mandatory (According to article 37 of GDPR):
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
5. Territorial scope:
The territorial scope of GDPR is not defined by geography but by the data. In simpler words, it means that even if your company isn’t located in the EU, if it offers products or services to citizens in the EU, all of the rules apply to you.
6. Notification of data breach:
In case a data breach occurs, a company needs to inform all of the effected users within 72 hours of discovering the breach along with its supervisory authority. If the breach is expected to affect the rights and privacies of the effected users severely, then you need to also make the individuals aware of the full extent of possible damages. If you fail to notify a breach for whatever reason, then you could be fined up to 10 million Euros or 2% of your global turnover.
How do I prepare my business for GDPR?
The next natural question popping up in your mind right now could be something like, “What should I do to be prepared?” Well, here are the steps that we think you should be taking right away:
- First things first: You need to determine whether you are a controller or a processor. Sit down with your legal team and try to understand the definitions laid out by GDPR before you make the determination as it will formulate your preparations. (Note: In certain cases, you can be both; a controller and a processor so be very careful.)
- The next step you need to take (and this could get long) is data auditing. Answer questions like “how much data do I have?” “Where do I have it?” “Why do I have it?” and “How long do I need it?”
- Hire or appoint a data protection officer if you need one.
- Have a sit-down with your legal team to figure out which of the EU member state your supervisory authority will be. As was mentioned above, it’s important and resource-efficient to have a single authority for all the member states.
- Rethink your consent seeking and disclosure procedures. Your users should have complete knowledge of what you mean to do with their data.
- Eliminate any possible third party risks. While choosing your supplier, ensure that they are in complete compliance with GDPR.
- Before you buy important enterprise software like an email marketing solution or a CRM, make sure that the service providers are GDPR compliant and that their software doesn’t hamper/disrupt your compliance in any way. Some companies like ConstantContact have already started making efforts to comply with GDPR and it’s important to compare different companies before you make a decision.
- Lastly, you should embrace privacy/protection by design as it will help you identify any gaps in the early stages and will lead to reduction in any possible costs.
How will GDPR change the way we explore the internet?
GDPR is set to change the overall outlook of the internet. The most visible changes will be the ones regarding consent as users will be presented with more and more popups for explicit consent acquisition. Additionally, more and more companies will provide users with the ability to download all the data a company has on them. The top email marketing platforms like AWeber and ActiveCampaign will provide companies the ability to keep their customer engagement efforts ongoing without disrupting their GDPR compliance or violating any user rights. After GDPR, there will be stricter consequences if you send a newsletter to a person who explicitly opted not to receive it.
Most of the changes however will be happening behind the scenes. In the past, companies have been known to share data without any legal repercussions but GDPR is set to enforce a few laws on data sharing, analytics and advertising. Specifically the companies that received user data from another company (and not directly from the user) will now have a lot of transparency and consent laws to abide by.
90% of all the data that is currently present on the internet has been created since 2016 and with that in mind, saying that GDPR was a need of the hour isn’t an overstatement. After it gets enforced on May 25, 2018, GDPR is set to change the way companies obtain, store and deal with user data, making life a bit harder and precautionary for them. The main objective of GDPR was to protect user data and to give EU citizens significantly more control over their data, and it’s set to do just that.