GDPR 101: The new EU General Data Protection Regulation (GDPR)
The EU’s General Data Protection Regulation (GDPR) compliance date is rapidly approaching (May 25, 2018). Recent surveys show that less than 60% of UK businesses will be ready for the new GDPR regulations with that number being even lower for businesses outside of the UK. Computer Weekly reports that almost 80%of US firms will be affected by the new GDPR standards and penalties.
The GDPR does not just apply to European businesses, it applies to to anyone that has a singe contact in their database that resides in the UK. So, should you be worried? The bottom line is the GDPR will likely affect the way you do business and you must be aware of the new GDPR regulations and prepare for them.
This post is designed to give you the basics and requirements of the GDPR.
What is the new General Data Protection Regulation
The GDPR is a regulation in the EU covering privacy for all individuals within the European Union. The GDPR addresses the export of personal data outside of the EU. The GDPR is designed to give EU residents control over their personal data and to simplify the regulations for international businesses.
The reform is designed to bring laws and regulations around personal data, privacy and consent up to speed to truly reflect the new internet age we live in.
Under the GDPR, organizations and those that collect and manage personal data must ensure that the data is collected legally and under strict conditions as well as respect the rights of the owners of that data(the individual).
Who does the EU GDPR apply to?
The GDPR applies to organizations that handle personally identifiable information on European citizens. This not only applies to companies in Europe> If you deal with or are storing data on individuals that reside in the EU, this applies to you.
If you happen to be a business outside of the UK or EU, you may be thinking that this does not apply to you. Think again. The GDPR DOES APPLY to non EU/UK based businesses and with the cooperation of local authorities will enforce the regulation on you.
As you dive into the regulation, it identifies two types of data-handlers, processors and controllers. dohProcessors are the entity that processes data on behalf of the Data Controller.
The Controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The data controller determines the purposes for which and the manner in which personal data is processed. It can do this either on its own or jointly or in common with other organizations. This means that the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity.
The data processor is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
In simple terms, you as a business owner are more than likely the controller and the Marketing solutions, CRM you use etc. are the processor.
What type of data is considered personal data under the GDPR?
The types of data considered personal (PII, Personal Identifiable Information) under the GDPR include: name, address, IP address and photos. It also includes sensitive personal data such as genetic data, and biometric data which could be processed to uniquely identify an individual.
How does the GDPR affect you?
GDPR establishes one law across the continent and a single set of rules which apply to companies doing business within EU member states.. This means the reach of the legislation extends further than the borders of Europe itself, as international organizations based outside the region but with activity on 'European soil' will still need to comply.
GDPR guidelines state that an entity can face fines of up to 20 million Euros or 4% of their Global Annual Turnover (AKA “revenue” in the U.S.), whichever is greater. That is speaking in maximum fines and as of now, there does not appear to be guidance on specific amounts for violation types as of yet.
Types of violations include: infringements of the rights of the data subjects, unauthorized international transfer of personal data, failure to report a breach, and failure to put procedures in place for or ignoring access requests for their data.
What do you need to do prior to May 25th?
1. Understand the law: Know what your obligations are under GDPR as it relates to collecting, storing, and processing data.
2. Create a Data Map: Document your data flow. Identify your data sources and what information can be found in each. You will need to to Determine the following:
- What data you hold, where it came from and whom you share it with.
- What Information you have on UK/EU residents.
- Which third party service provides you use and ensure they are compliant with GDPR
Once you have determined the above, you will need to update your privacy policies to ensure they address and comply with the GDPR
3. Gain Explicit Consent: Consent needs to occur for marketers and business owners on 2 fronts. First you need to gain proper consent on all new opt-ins into your system. This goes for Lead Generation as well as sales. If you operate a E-Commerce business, you will want to garner consent to market on your order forms in order to follow up with marketing other. Consent needs to be obtained for\r both new contacts as well as your existing Database. Yes, this does mean you should re-permission and clean your database. Here are guidelines for what the GDPR considers consent:
- Contain a clear statement of consent using plain english that is easy to understand
- Be separate from any other terms and conditions
- Explain why you want the data and what you will do with it
- Require a positive optin (no pre-checked boxes)
- Name third party controllers that will rely on consent
- Explain how the contact may withdraw consent (opt-out or be forgotten)
- Avoid making consent a pre-condition of service
4. Update your privacy policies: Your privacy policies need to be updated to reflect the new GDPR regulations. these policies should be clear and easy to understand. they need to cover exactly what data you collect and how you use it. this includes not only the obvious PII (name, email etc) but also cookies, pixels, tracking mechanisms and even affiliate links.
What Else Should I be aware of?
To dive in and learn everything there is to know about the GDPR, check out the link here to the EU GDPR Website.
P.S. We are not lawyers and this should not be taken as legal advise, but as guidelines as to what you need to know and what you need to do to be prepared.