If you have recently received an email from Google regarding the General Data Protection Regulation (GDPR) you may be wondering what your company needs to do in order to be compliant with the regulation. The GDPR regulates and puts strict processes in place on how businesses will be allowed to collect, store, and process data.
What is the GDPR?
The GDPR exists to offer protection and privacy for individuals within the European Union (EU) and give users the right and ability to control how their personal data is used, processed, and accessed. Businesses that do not comply by the deadline will risk heavy penalties. The GDPR simply states that anytime personal data is collected from an individual from the EU, the business will need to obtain informed consent and at the same time give the option to revoke consent. Not only must you collect consent, but you must document the how and when.
What Changes Will Come of This?
The biggest and most noticeable change will come to the Terms of Service and other data security warnings users will be alerted of before sharing information. You might notice clearer and bigger font in the Terms of Service; this is to protect users from not being able to clearly read what they are agreeing to. We are encouraging our clients to alter their terms and conditions to be simple, clear, and easy to understand.
There will also be changes in how businesses collect data from customers. Under the GDPR you can only collect data if you have a legal reason to do so, this means that you must be able to justify what the personal data will be used for and only use it for that purpose.
In addition, larger businesses (over 250 employees) must employ a data protection officer (DPO) to carry out the guidelines. Smaller companies (fewer than 250 employees) can have a part-time person manage this role or add it to an existing role.
Who Does it Impact?
These regulatory changes impact any company that collects data from individuals in the European Union. It’s important to note that even if your company operates strictly in the U.S. you will need to comply. If your company has an online presence that can be accessed by anyone in the world, then your business will be liable if necessary data security measures are not in place and consumer data is not protected.
If a company does not comply and experiences a breach in security, they could face hefty fines. A lower tier violation would result in a €10 million (roughly $12M U.S. dollars) fine or 2% of global annual revenue from the prior year. Here is what the GDPR considers a lower tier fine:
- A data breach that results in personal data being impacted
- Notification of a data breach to the supervisory authority
- Failure to properly designate a DPO
- Not obtaining a child’s consent of personal data
A more serious violation would result in a €20 million (roughly $23M U.S. dollars) fine or 4% of global annual revenue from the prior year, whichever is greater. Here are the offenses that could land a company an upper tier fine:
- Non-adherence to the principles of data security and the protection of personal data
- Infringing on the rights of data subjects
- Transferring personal data to third party organizations or countries
What Constitutes Personal Data?
Under the GDPR regulatory changes, personal data qualifies as any data that can be used to identify a ‘data subject.’ This can be anything from:
- Email address
- Medical information
- Bank details
- Social media post
- Computer IP address
What Steps Should I Take?
As a marketing firm and not a legal firm, we advise you to seek legal counsel on this to make sure you are protected. However, from our research, here is our GDPR checklist we recommend revising or putting into place as soon as possible:
- Identify and train, or hire, a data protection officer (DPO)
- Track your data to be able to notify users if there is a data breach
- Know if and where you share information with other organizations
- Clearly communicate and update your privacy and security policy
- Put into place, or update, your data breach notification protocols
- Ensure you have consented to user’s data
- To be safe, get consent from existing customer database (be careful not to email those who have opted out previously)
- Allow users the right to ask for their personal data to be deleted
- Get a process in place for obtaining, documenting, and maintaining a legal basis for each piece of personal data that is collected
- Consider creating a preference center for which your customers can manage their data and communication methods
If you have any specific questions on what the GDPR means for your business and what actions you need to take, as we suggested earlier, we recommend talking with your legal advisor to ensure you are compliant before May 25, 2018. In addition, we recommend you talk with your customer relationship management (CRM) software provider to ensure their platform has the functionality in place to keep you compliant around opt-in and opt-out features. If you would like more information on a GDPR checklist, we recommend you review HubSpot’s GDPR Compliance Checklist.
You may not rely on this article as legal advice, nor as a recommendation of any particular legal understanding. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.