Said to be one of the most important changes in data privacy regulation in the last 20 years according to their website, the General Data Protection Regulation (GDPR) comes into effect May 25, 2018 and as an EU business or a business that markets to the EU, you need to be ready.
As will be outlined below, negligence to comply with this new regulation can result in hefty fines, as high as €20 million.
This article provides a general outline of things you need to know before the GDPR release date. Before we delve deep into the ins and outs of this regulatory change, here is a legal disclaimer:
This article is not legal advice for your organization to use in complying with data privacy laws like the GDPR. IMPACT provides this article as a resource to help you better understand the background information of some of the most important points in the GDPR.
This information does not replace the advice of an attorney. If your company is seeking legal advice for following the GDPR guidelines, then your best bet is to speak with an attorney who can apply the laws to your unique situation.
What is the General Data Protection Regulation (GDPR)?
Before we go into what the GDPR is changing, you as a reader need to understand exactly what this change is.
The GDPR is replacing the EU’s current data protection regulation, the EU Data Protection Directive (DPD). The new regulation is intended to synchronize data privacy laws across Europe, protect people’s privacy, and make organizations more responsible when it comes to collecting data from their visitors or clients.
Yes, the GDPR is intended for businesses and citizens in the EU specifically, but if your organization has any visitors or clients from the EU, you must be compliant with this regulation. With this being said, no matter the size or location of your company, it is important you understand the new regulation and how to modify your current business practices when it comes to data collection.
According to an article by ITPRO, which has a detailed explanation of the GDPR for small businesses, if your company has fewer than 250 employees, the new regulation states “you must hold internal records of your processing activities, where the data being processed could risk somebody’s rights and freedoms, or where that data relates to criminal convictions and offences.
With regards to that same article, if your company has more than 250 employees, the new regulations states you must keep records with even more details. The new records must document “the name and details of your organization, your data protection officer, why you’re processing the data, a description of the types of individuals and categories of their personal data, as well as categories of recipients of this data, details of any foreign transfers of that data outside the EU including documentation proving that data will be safeguarded abroad, retention schedules, and a description of your technical and organizational security measures”.
If you fail to be compliant, you could be fined up to 4% of your annual global turnover or €20 million - whichever is greater, which is a rather hefty fine. In order to help you become - and remain - complaint, we’ve written this article, which walks you through the GDPR need-to-knows.
This is a broad overview of the GDPR, to read more on this subject and how it came to be, visit their website. We also have an article that explores the GDPR further and looks at it from an international school perspective. Read that article here.
What are the Changes that Come With the GDPR That Affect Inbound Marketing?
Think about every time you have signed up for something online, the many times you’ve put in your full name, address, email, and even your phone number; data collection is a prime practice of marketing as it helps you nurture your leads.
Moving away from personal data implementation, think of your own business. Do you have a form anywhere on your website where you acquire information about visitors to your webpage? Do you have any sort of tracking software to understand the movements of your visitors through your website? If you answered yes or even hesitated because you don’t know, you need to understand the changes the GDPR is bringing. There are seven areas the GDPR is changing and strengthening when it comes to data privacy.
Consent Needs to be Clear and Continuous
Consent can no longer be an illegible attachment of legal terms that the general public will not understand. You know those boxes you’ve scrolled through quickly just to be able to activate the button to click “I Agree”? Well that format is no longer permitted. Now you have to write clear and concise instructions in plain language so people understand exactly what they are agreeing to.
As a controller of the individual’s data, you have the obligatory relationship to be diligent in attaining a statement of consent or assuring the submission of information is a clear affirmative action.
Another change, with regards to consent is you have to make it easy to withdraw it at any time.
To read more on the changes to consent, read our blog post here.
Quick Notification of a Data Breach
Any situation where a data breach could put an individual’s rights and freedoms at risk, a notification of said breach is mandatory to be sent out.
It could be something as simple as accidentally sending out an individual’s contact information, but in any case you must send out a notification within 72 hours of becoming aware of the breach.
Transparency and a Right to Access
Transparency is key with the GDPR; if any customer wants to know more about how their information is being used, where it’s being used, and for what purpose, the request must be obliged in a maximum of 30 days.
If they request a copy of the personal data, you must provide them with exactly what they’re asking for, free of charge and in an electronic format.
Along with transparency and a right to access, your customers also have the right to data portability, which simply means they can obtain any information you have on them and then transmit that information to another controller.
Privacy by Design Rather Than Privacy by Addition
With the new GDPR, it is now a legal requirement to design a system specifically responsible for protecting data. “The controller shall… implement appropriate technical and organizational measures...in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects,” as quoted in the website devoted to outlining the GDPR.
In addition to this section of the change, there is a targeted effort in data minimisation. Simply put, the GDPR is trying to minimize the amount of information we attain on individuals and only collect what is needed for the completion of our duties. Once the information is attained, only those that require access to it, will be awarded it.
When making a form on your website think about what you actually need from the person, don’t ask things for the sake of asking. For example, you shouldn’t ask for a prospect’s address if you aren’t going to use it for a defined purpose, such as mailing a package or offers.
Appointing Data Protection Officers
With the old system, organizations were required to notify their data processing activities with local Data Protection Authorities (DPA). With the GDPR, this will no longer be required. In place of the old practice, organizations will now be required to appoint a Data Protection Officer (DPO) who will be in charge of internal record keeping.
The responsibilities of the DPO are as follows:
- Must be appointed on the basis of professional qualities and expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant DPA
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could result in a conflict of interest
Find out more on the GDPR website.
What Steps Should Your Organization be Taking Now to be GDPR Compliant?
We know there is a lot of legal jargon that comes with the GDPR that can be difficult to navigate through. The Information Commissioner’s Office (ICO) developed a easy-to-follow 12-step guide on steps to take now to be compliant.
The steps are as follows:
- Be aware of the changes the GDPR brings.
- Understand and make note of the personal data you hold, where it came from, and who you share it with.
- Review your current privacy notices.
- Ensure your current practice covers all the rights of individuals you are collecting information from.
- Update your practices to make sure you can follow the new subject access requests.
- Identify the lawful basis for processing personal data and update it accordingly.
- Look at how you are currently seeking and managing consent and update it accordingly.
- If your business attains information about children, make sure you are obtaining parental or a legal guardian’s consent for any data processing.
- When it comes to data breaches, make sure you have the right systems in place to detect, report, and investigate.
- Familiarize yourself the ICO’s code of practice on Privacy Impact Assessment. Look at how you as a business are going to implement data protection by design.
- Designate someone to become the DPO.
- If your organization operates in more than one EU member state, identify your lead data protection supervisory authority.
See more of a breakdown of the 12 steps here.
The GDPR Comes into Effect May 25, 2018
With the looming implementation date of May 25, it is now time to make sure you are compliant with the GDPR. If your organization was already following the rules of the DPD then there are only a few changes you need to make.
The new privacy regulation holds us all accountable to the people who trust us with their information. With the GDPR, we will all become more trustworthy, more transparent, and more worthy of the personal information our customers are placing in our hands.