- What is GDPR and what does it stand for? The new EU regulation has affected businesses worldwide. In this article, we explain the what, the how and the why of the new EU privacy law.
- What are the business implications of GDPR? How will your business, whether based in the EU or not, comply with the long list of "articles" under GDPR?
- GDPR will affect the way you communicate, but how? The way you handle personal data has now changed, and this applies to both prospect and customer data.
The internet has dramatically changed the way we communicate and how we handle everyday tasks.
We send emails, we share documents, we pay bills and we purchase goods by entering our personal details all online and without a second thought.
Have you ever stopped to wonder how much personal data you have shared online?
Or what happens to that information?
We’re talking about banking information, contacts, addresses, social media posts, and even your IP address and the sites that you’ve visited are all stored digitally.
Companies tell you that they collect this type of information so that they can serve you better, offer you more targeted and relevant communications, all to provide you with a better customer experience.
But, is that what they really use the data for?
This is the question that has been asked and answered by the EU, and why in May 2018 a new European privacy regulation called GDPR was enforced and permanently changed the way you, as a business, collect, store and use customer data.
In a study of more than 800 IT and business professionals that are responsible for data privacy at companies with European customers, AIIM found that more than 50% of businesses know little or nothing about GDPR.
More recently, TrustArc found that only 20% of businesses believe they are now GDPR compliant.
The worst part?
More than 1 in 4 companies (27%) have yet to begin work on making their organization GDPR compliant - more than 2 years after the May 25th deadline has passed!
it's easy to understand if a small brick and mortar store found it difficult to prepare for GDPR, but research from The Ponemon Institute found that 60% of tech companies weren't ready either.
So, it's not just small "non-techy" businesses that are behind with GDPR!
So, whether you're in tech, travel, retail or an entrepreneur, we explain what GDPR is, how it will impact your business and include practical tips on how you can prepare for GDPR compliance.
What is GDPR?
On May 25, 2018, the new European privacy regulation came into effect.
GDPR stands for the General Data Protection Regulation.
This regulation has been implemented in all local privacy laws across the entire EU and EEA region. It will apply to all companies selling to and storing personal information about citizens in Europe, including companies on other continents.
What GDPR means is that citizens of the EU and EEA now have greater control over their personal data and assurances that their information is being securely protected across Europe.
According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.
There is no distinction between personal data about individuals in their private, public or work roles – the person is the person. Also in a B2B setting, everything is about individuals interacting and sharing information with and about each other. Customers in B2B marketing are obviously companies, but the relationships that handle the business topics are people – or individuals.
Note: Although similar, GDPR is not the same as the new Swiss privacy law Federal Act on Data Protection (FADP).
The 8 basic rights of GDPR
Under the GDPR, individuals have:
- The right to access –this means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
- The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
- The right to data portability - Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
- The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
- The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
- The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
- The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
- The right to be notified - If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
The GDPR is the EU’s way of giving individuals, prospects, customers, contractors and employees more power over their data and less power to the organizations that collect and use such data for monetary gain.
The business implications of GDPR
This new data protection regulation puts the consumer in the driver’s seat, and the task of complying with this regulation falls upon businesses and organizations. Otherwise, you're failing to comply.
What falls under GDPR compliance?
Well, GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Even non-EU established organizations will be subject to GDPR. If your business offers goods and/ or services to citizens in the EU, then it’s subject to GDPR.
All organizations and companies that work with personal data should appoint a data protection officer or data controller who is in charge of GDPR compliance.
There are tough penalties for those companies and organizations who don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.
How serious is the EU taking GDPR?
For example, both British Airways and Marriott International are facing eye-watering fines that amount to hundreds of millions or euros for failing to comply.
- British Airways are facing fines of up to €200 million for a data breach that occurred in September 2018
- Marriott International are expected to be fined in the region of €99 million for a data breach between 2014 and 2018
Now, many people might think that the GDPR is just an IT issue, but that is the furthest from the truth. It has broad-sweeping implications for the whole company, including the way companies handle marketing and sales activities.
The impact of GDPR on customer engagement
The conditions for obtaining consent are stricter under GDPR requirements as the individual must have the right to withdraw consent at any time and there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities.
This means you have to be able to prove that the individual agreed to a certain action, to receive a newsletter for instance. It is not allowed to assume or add a disclaimer, and providing an opt-out option is not enough.
GDPR has changed a lot of things for companies such as the way your sales teams prospect or the way that marketing activities are managed. Companies have had to review business processes, applications and forms to be compliant with double opt-in rules and email marketing best practices. In order to sign up for communication, prospects will have to fill out a form or tick a box and then confirm it was their actions in a further email.
Organizations must prove that consent was given in a case where an individual objects to receiving the communication. This means that any data held, must have an audit trail that is time stamped and reporting information that details what the contact opted into and how.
If you purchase marketing lists, you are still responsible for getting the proper consent information, even if a vendor or outsourced partner was responsible for gathering the data.
In the B2B world, sales people meet potential customers at a trade show, they exchange business cards, and when they come back to the office, they add the contacts to the company’s mailing list. In 2020, this is no longer possible.
Companies will have to look at new ways of collecting customer information.
Preparations for GDPR-compliance
A key component of the GDPR legislation is privacy by design.
Privacy by design requires that all departments in a company look closely at their data and how they handle it. There are many things a company has to do in order to be compliant with GDPR. If you have yet to to take the next step towards compliance, here are just a few ways to help you get started.
1. Map your company’s data
Map where all of the personal data in your entire business comes from and document what you do with the data. Identify where the data resides, who can access it and if there are any risks to the data. This is not only important for GDPR, but will help improve Customer Relationship Management.
2. Determine what data you need to keep
Don’t keep more information than necessary and remove any data that you aren't using. If your business has collected a lot of data without any real benefit, now is the time to consider which data is important to your business. GDPR encourages a more disciplined treatment of personal data.
In the clean-up process, ask yourself:
- Why exactly are we archiving this data instead of just erasing it?
- Why are we saving all this data?
- What are we trying to achieve by collecting all these categories of personal information?
- Is the financial gain of deleting this information greater than encrypting it?
3. Put security measures in place
Develop and implement safeguards throughout your infrastructure to help contain any data breaches. This means putting security measures in place to guard against data breaches, and taking quick action to notify individuals and authorities in the event a breach does occur.
Worryingly, law firm EMW found that data breach complaints have increased by 160% since the GDPR came into effect (Tweet this!)
Make sure to check with your suppliers also. Outsourcing doesn’t exempt you from being liable and you need to make sure that they have the right security measures in place. For example, the recent data breach for companies using third party survey provider, Typeform.
Typeform were quick to communicate the data breach and included a template for their customers that used their software to collect personal information (as shown below).
4. Review your documentation
Under GDPR, individuals have to explicitly consent to the acquisition and processing of their data. Pre-checked boxes and implied consent will not be acceptable anymore. You will have to review all of your privacy statements and disclosures and adjust them where needed.
5. Establish procedures for handling personal data
As we mentioned earlier, individuals have 8 basic rights under GDPR.
You now need to establish policies and procedures for how you will handle each of these situations.
- How can individuals give consent in a legal manner?
- What is the process if an individual wants his data to be deleted?
- How will you ensure that it is done across all platforms and that it really is deleted?
- If an individual wants his data to be transferred, how will you do it?
- How will you confirm that the person who requested to have his data transferred is the person he says he is?
- What is the communication plan in case of a data breach?
Data is a valuable currency in this new world.
And while GDPR does create challenges and pain for us as businesses, it also creates opportunity.
Companies who show they value an individual’s privacy (beyond mere legal compliance), who are transparent about how the data is used, who design and implement new and improved ways of managing customer data throughout its life cycle build deeper trust and retain more loyal customers.
When first announced in 2016, it felt like there was plenty of time for new businesses to take the necessary steps. But, this time has flown by and many companies are still scrambling, even after the deadline has passed. So, if you haven’t already started your journey to compliance, we urge you to start now.
Dedicate time to understand what you need to do in order to become compliant and use the practical tips shared in this article to help you get started. Then, create a plan of action for your journey to GDPR so you can ensure you and your business are complaint sooner, rather than later.
How has GDPR impacted your business?
Let me know in the comment section below.
P.S. If you’re interested to know more about how GDPR affects your customer data, then contact us today.
Disclaimer: The content in this blog post (including all responses to comments) is not to be considered legal advice and should be used for information purposes only.