- What We Do
- Software Development
- Data & Analytics
- Salesforce Consulting
- Who We Are
- Who We Serve
Software June 7, 2018
Yep. We all have.
If you collect any kind of consumer data, you need to read this. There’s a reason why marketers everywhere are scrambling to put out communications about GDPR. Compliance with these new regulations is no joke, and they want to make sure they’re compliant. GDPR goes beyond social media websites. If your business has an app, if you use CRM, if you send emails to a database of customers, you’re likely to be affected.
Keep reading to find out what GDPR is and how it could affect your business operations, your data gathering practices, and your marketing.
GDPR stands for General Data Protection Regulation, and it is the biggest privacy law ever. This landmark piece of legislation was passed by the European Union and went into effect May 25, 2018. It expands the privacy rights of EU individuals and places high demands on organizations that market, track, or handle the personal data of European citizens.
The law was designed to help create common standards for data protection across all European states. Its regulations are strict and the consequences of not following are them are harsh.
We know what you might be thinking. We live in America! How does this affect us?
Even if your company doesn’t explicitly do business in Europe, or your target audience is strictly in North America, if you collect consumer data and one of those people happens to live in Europe, you are bound by GDPR.
The regulations of this law dramatically change how the personal data of European citizens can be collected and used. In short, organizations that collect personal data have to ensure that it’s gathered legally and protected from misuse and exploitation.
There are three important terms to know regarding the parties referred to in the GDPR:
Personal data includes name, address, photos, IP address, genetic data, and any biometric data that could be processed and used to uniquely identify an individual.
There are several pieces to GDPR compliance. The big ones are consent, data protection, data protection officer (DPO), and consumer right of access to personal data.
Unless a data subject has provided explicit consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so. Legal basis includes things, such as public interest, compliance with a data controllers’ legal obligations, or contractual obligations with a data subject.
If consent is your lawful reason, the GDPR outlines specific ways to gain that consent from users. Before you can collect data, you must have explicit reasons for collecting the data and clear intentions of how it will be used. The user must receive an opt-in with clear guidelines and explanations written in plain language. If the user is under the age of 16, consent must be collected through a parent or legal guardian.
Additionally, users must be informed of how long data is retained, if data is being transferred to a third party, and whether that third party is inside or outside the EU. Users must be told who the data controller is and who their designated data protection officer is (more on that later).
GDPR also requires that users be informed of their privacy rights under the law, which is why you’ve been receiving all those emails and privacy notices. Users have the right to revoke consent, view their personal data, obtain a copy of their data, contest automated decision making, have their data erased (the “right to be forgotten”), and file complaints.
2. Data protection
There are specific data protection measures required with GDPR. One of those is the pseudonymisation of personal data. Pseudonymization is a de-identification process by which fields within a data record are replaced by one or more artificial identifiers. It makes the data record less identifiable while not compromising a controller or processors’ ability to process and analyze that same data.
3. Data protection officer (DPO)
If your company processes a large amount of data, you are required to hire a dedicated (and qualified) person to be your DPO. His or her job is to ensure GDPR compliance. The DPO is the point person in compliance and liability issues.
4. Right of access
Remember when Facebook sent out messaging after the Cambridge Analytica breach that gave users the ability to download their data? That’s one example of users’ right of access. It gives citizens the right to access their personal data, as well as information about how their personal data is being processed. If you are a data controller, you have to provide any user with the data categories being collected upon request.
In the age of Big Data, almost every business entity collects data: social media companies, app developers, banks, retailers, governments, etc. Any company you purchase things from using your credit card has the ability to collect, store, and analyze your purchase history and any associated personal information.
The bottom line is that if you handle anything that might identify an individual, you fall under the definition of collecting personal data. If you’re selling products or services in the EU (even if you’re based in the U.S.), the GDPR affects you. If you’re monitoring or getting information about the behaviors of people in Europe (think about your website or app users, your newsletter subscribers, etc.), it affects you.
What about B2B? That’s an important piece as well. While the regulations for business data collection aren’t as restrictive as consumer regulations, business data processing must:
If you’re starting to get concerned, here are some steps you can take to protect yourself.
1. Block Europe
Kidding but not kidding … The day GDPR went into effect, a number of U.S.-based news sites blocked access to European countries (which sort of makes you wonder what they’ve been collecting). You could follow suit and just block EU users altogether.
2. Hop on the data protection train and get serious about protecting data
People are starting to pay attention to and care more about what companies do with the user data they collect. People care about privacy and the security of their data. GDPR presents you with an opportunity to strengthen your privacy program BEFORE a major breach happens.
Additionally, who’s to say the U.S. won’t pass similar legislation after they see how the chips fall in Europe? Shouldn’t we be more protective of our data anyway? Here are some actions you can take within your organization to come into compliance with GDPR:
Businesses should be taking this seriously. There are severe penalties for being non-compliant, including fines of up to 4% of your company’s global revenue.
Here’s some good news for Salesforce users: There’s a Trailhead on GDPR compliance! We highly recommend taking it if you think you will be processing EU user data.
GDPR comes down to data and how it’s collected, protected, and processed. Need a data hero to help you either get started with data or better use and protect what you have? Call us at RTS Labs, and we’ll put you in touch with our data teams for an initial conversation.
Contact us to talk about how we can help.