Does Your Business Need to Worry About GDPR?
Have you been getting email after email about privacy policy updates and GDPR – from every single app, software platform, social media channel, and any other thing on the internet you use?
Yep. We all have.
If you collect any kind of consumer data, you need to read this. There’s a reason why marketers everywhere are scrambling to put out communications about GDPR. Compliance with these new regulations is no joke, and they want to make sure they’re compliant. GDPR goes beyond social media websites. If your business has an app, if you use CRM, if you send emails to a database of customers, you’re likely to be affected.
Keep reading to find out what GDPR is and how it could affect your business operations, your data gathering practices, and your marketing.
What is GDPR
GDPR stands for General Data Protection Regulation, and it is the biggest privacy law ever. This landmark piece of legislation was passed by the European Union and went into effect May 25, 2018. It expands the privacy rights of EU individuals and places high demands on organizations that market, track, or handle the personal data of European citizens.
The law was designed to help create common standards for data protection across all European states. Its regulations are strict and the consequences of not following are them are harsh.
We know what you might be thinking. We live in America! How does this affect us?
Even if your company doesn’t explicitly do business in Europe, or your target audience is strictly in North America, if you collect consumer data and one of those people happens to live in Europe, you are bound by GDPR.
GDPR details that businesses need to worry about
The regulations of this law dramatically change how the personal data of European citizens can be collected and used. In short, organizations that collect personal data have to ensure that it’s gathered legally and protected from misuse and exploitation.
There are three important terms to know regarding the parties referred to in the GDPR:
- Data subject: a consumer or user who lives in Europe
- Data controller: a person or organization that determines the purposes and means of processing personal data (i.e., a business that collects data for marketing purposes)
- Data processor: a person or organization that processes personal data on behalf of a controller (i.e., a third-party service, such as CRM or email).
Personal data includes name, address, photos, IP address, genetic data, and any biometric data that could be processed and used to uniquely identify an individual.
There are several pieces to GDPR compliance. The big ones are consent, data protection, data protection officer (DPO), and consumer right of access to personal data.
1. Consent
Unless a data subject has provided explicit consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so. Legal basis includes things, such as public interest, compliance with a data controllers’ legal obligations, or contractual obligations with a data subject.
If consent is your lawful reason, the GDPR outlines specific ways to gain that consent from users. Before you can collect data, you must have explicit reasons for collecting the data and clear intentions of how it will be used. The user must receive an opt-in with clear guidelines and explanations written in plain language. If the user is under the age of 16, consent must be collected through a parent or legal guardian.
Additionally, users must be informed of how long data is retained, if data is being transferred to a third party, and whether that third party is inside or outside the EU. Users must be told who the data controller is and who their designated data protection officer is (more on that later).
GDPR also requires that users be informed of their privacy rights under the law, which is why you’ve been receiving all those emails and privacy notices. Users have the right to revoke consent, view their personal data, obtain a copy of their data, contest automated decision making, have their data erased (the “right to be forgotten”), and file complaints.
2. Data protection
There are specific data protection measures required with GDPR. One of those is the pseudonymisation of personal data. Pseudonymization is a de-identification process by which fields within a data record are replaced by one or more artificial identifiers. It makes the data record less identifiable while not compromising a controller or processors’ ability to process and analyze that same data.
3. Data protection officer (DPO)
If your company processes a large amount of data, you are required to hire a dedicated (and qualified) person to be your DPO. His or her job is to ensure GDPR compliance. The DPO is the point person in compliance and liability issues.
4. Right of access
Remember when Facebook sent out messaging after the Cambridge Analytica breach that gave users the ability to download their data? That’s one example of users’ right of access. It gives citizens the right to access their personal data, as well as information about how their personal data is being processed. If you are a data controller, you have to provide any user with the data categories being collected upon request.
How GDPR could affect you
In the age of Big Data, almost every business entity collects data: social media companies, app developers, banks, retailers, governments, etc. Any company you purchase things from using your credit card has the ability to collect, store, and analyze your purchase history and any associated personal information.
The bottom line is that if you handle anything that might identify an individual, you fall under the definition of collecting personal data. If you’re selling products or services in the EU (even if you’re based in the U.S.), the GDPR affects you. If you’re monitoring or getting information about the behaviors of people in Europe (think about your website or app users, your newsletter subscribers, etc.), it affects you.
What about B2B? That’s an important piece as well. While the regulations for business data collection aren’t as restrictive as consumer regulations, business data processing must:
- Relate to the interests of your business or a specified third party.
- Be necessary to achieve the legitimate interests of the organization.
Steps to take
If you’re starting to get concerned, here are some steps you can take to protect yourself.
1. Block Europe
Kidding but not kidding … The day GDPR went into effect, a number of U.S.-based news sites blocked access to European countries (which sort of makes you wonder what they’ve been collecting). You could follow suit and just block EU users altogether.
2. Hop on the data protection train and get serious about protecting data
People are starting to pay attention to and care more about what companies do with the user data they collect. People care about privacy and the security of their data. GDPR presents you with an opportunity to strengthen your privacy program BEFORE a major breach happens.
Additionally, who’s to say the U.S. won’t pass similar legislation after they see how the chips fall in Europe? Shouldn’t we be more protective of our data anyway? Here are some actions you can take within your organization to come into compliance with GDPR:
- Perform an information audit and document what personal data you hold, where it came from, and whom you share it with.
- Review your current privacy notices and put a plan in place for making necessary changes. Check that your procedures cover all the individual rights protected in the GDPR.
- Decide how you will delete personal data or provide user data electronically in the event it is requested.
- Identify and document your lawful basis for data processing activity with regards to GDPR and update your privacy policy to reflect that information.
- Review how you record and manage consent and refresh any existing consents if they don’t meet the GDPR standard.
- Review how you verify age and obtain consent from legal guardians.
- Make sure you have processes in place for detecting and reporting a breach of personal data.
- If you’re processing large amounts of data, designate a DPO.
- Look into third-party pseudonymization solutions to further protect personal data.
- Make it a policy to only work with third-party providers who are GDPR compliant.
Consequences
Businesses should be taking this seriously. There are severe penalties for being non-compliant, including fines of up to 4% of your company’s global revenue.
Here’s some good news for Salesforce users: There’s a Trailhead on GDPR compliance! We highly recommend taking it if you think you will be processing EU user data.
GDPR comes down to data and how it’s collected, protected, and processed. Need a data hero to help you either get started with data or better use and protect what you have? Call us at RTS Labs, and we’ll put you in touch with our data teams for an initial conversation.