The General Data Protection Regulation comes into law on 25th May 2018 and according to a new study by Crowd Research Partners, 60% of companies are unlikely to meet the deadline for compliance with the new EU data legislation.
Don’t be fooled if you think this doesn’t apply to you because you’re outside the EU. If you own a business anywhere in the world and deal with EU citizens’ personal data, then you will have no choice but to comply with GDPR.
Lost you at GDPR?
No need to panic, it’s not as complex as everyone is making it out to be (OK, maybe a little).
To put it simply, GDPR is a regulation that will force all companies to disclose any data breach – be it human error or a cyber attack – to the relevant party within 72 hours.
In other words, the EU would rather not have a repeat of the 2016 Uber scandal. Let me refresh your memory: hackers managed to expose the personal information of 57 million Uber users and 600,000 drivers.
Not only did Uber wait an entire year until they made the breach public, but they also paid the hackers $100,000 to destroy the data with no actual proof of it being done.
If you fail to comply, you could be looking at fines from 10 million to billions of euros, depending on the severity of the breach.
Yes, business owners are up in arms at the moment but let’s take a step back and realise this may be a blessing in disguise. The GDPR aims to give the control back to the consumers when it comes to their personal data and how it’s being used by companies.
EU citizens now have the choice to opt-out of the data trade and say: “Actually, I’d rather not have you sharing my data with third parties, thanks.”
GDPR doesn’t have to be all doom and gloom. As business owners, this is our opportunity to sort out the way we handle data, gain meaningful insights into our customers’ journey and be more transparent.
Here’s what you need to know about how GDPR will impact your day-to-day business.
Know your data
Start by having a look at the data you hold, where it comes from, how you store this data and how you use it – whether it be paper or electronic.
What constitutes “personal data” under GDPR?
Personal data is a broad term.
The GDPR clarifies it as:
“[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
In simple terms, this is anything from names, addresses, emails, bank details, IP addresses, information related to the workplace and sensitive data including health, religion, political opinions, and geo-tracking data.
Identify your reason for having this personal data and obtain consent.
This is when it gets tricky.
If you rely on consent to process this personal data, then listen up. When it comes to email marketing you will now have to be clear, specific and explicit about what you will send to a customer’s inbox. No more hidden small print and sneaky pre-ticked boxes, you need to be clear about what you’re doing with their information.
It’s time to stop hanging on to old baggage (data).
GDPR will require companies to not keep personal data for longer than they need, especially if the person is not aware you have this information. See this as a ‘spring clean’ of your mailing list – once you start to categorise your data, you can start to understand why you have it in the first place and if you even need it.
It’s important to note, inactivity from users on their side doesn’t grant you permission to continue to use their data and send them marketing materials.
Implement a re-permission program
If you don’t have GDPR compliant consent from your contacts – you can run a re-permission campaign to refresh the list and give users the choice to unsubscribe.
It’s straightforward – if you don’t get consent from your customers to use their data, you will not be able to use it and will have to erase it. And if you
Get your security measures in place and your policies in check.
You can’t get around GDPR by encrypting personal data alone.
But it’s a good place to start. Make sure you update your security measures and make use of encryption to help minimise the risk of a data breach and ensure you’re protecting the privacy of your customer’s personal data.
What is encryption?
“Information is encrypted and decrypted using a secret key (some algorithms use a different key for encryption and decryption). Without the key the information cannot be accessed and is therefore protected from unauthorised or unlawful processing.” – Information Commissioner’s Office
Know the difference between a data controller and a data processor
This is a grey area because it’s not always clear who exactly is the controller and who’s the processor when it comes to data.
The data controller determines the purpose for which personal data is processed, whereas a data processor is responsible for processing data on behalf of the controller.
To break this down: many companies may be in the situation where they are only responsible for the storage of the data whereas their clients, in the scope of their own business, are responsible for collecting and processing this personal data.
For example, an insurance company (controller) collects the data of its’ clients when they sign up for a policy, but it may be another organisation (processor) who’s tasked with digitalising, cataloging and storing all this information.
As a data controller, you’ll have to meet a number of the requirements under EU law such as: notifying relevant national authority before you carry out any data processing and implementing measures to protect personal data against accidental loss or unauthorised access.
It can be a confusing task to determine whether you’re a data controller or data processor, so here’s a helpful PDF by the Information Commissioner’s Office: https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf
Time is ticking so get moving on making sure your business is GDPR compliant. If you’re able to show your clients that your organisation is compliant with new laws (protecting the rights of citizens just like you) it will only mean you’ll be taken more seriously.
Aside from the unpleasant fines your business could face, see GDPR as an opportunity to get organised and earn the trust of your customers. Your business will be stronger for it.