As the economy (and indeed, the world) become increasingly digitised, more and more companies are holding highly sensitive personal information. As I’m sure you know, this data is used to study consumer behaviour, and allows digital marketers (like me) to ensure they’re marketing to the right people. However, naturally, this poses significant risks for businesses because the information can be stolen or abused (as made clear by the recent Facebook and Cambridge Analytica scandals).
So, I bet you’re wondering, how does GDPR come into this? Well, to help prevent this sort of stuff from happening, the European Union has introduced the General Data Protection Regulation (GDPR) to specify how consumer data should be used and protected. Effectively, this change will bring data protection laws into the 21st century and unify data privacy requirements across the EU.
So now what, right? Why you should you care?
Well, while this law was officially adopted by the European Parliament in April 2016, it will officially come into effect on May 25th, and will (probably, most definitely) have an impact on your business because of its wide scope.
It will apply to any businesses that: are registered within the EU, offer goods or services to EU subjects, and/or process or monitor the behaviour of EU subjects. Basically, long story short, if you operate in the EU, or have customers within the EU, you will have to comply with GDPR (regardless of your location).
I know, I know. We’re set to leave the EU in the next 12 months, right? Well, while that may be true, compliance with GDPR is still vital (and not to mention, the UK will be adopting identical laws), and if you’re found not sticking to the rules, you can be fined up to €20 million or 4% of annual global turnover (whichever is higher).
So, all being said, here are some of the key things you need to know:
- Consent: if you don’t already, you must obtain explicit consent from customers to use their data (that means using clear language and no fancy legal jargon or indecipherable T&Cs)
- Breach Notification: in the case of data breaches, you must notify the ICO (Information Commissioner’s Office) of the breach within 72 hours
- Right to Access: customers have the right to obtain confirmation from you about their personal data and how it is being processed (you have to comply and must provided an electronic copy of their stored data for free)
- Right to be Forgotten: customers now have the right to be forgotten, which means you have to erase their personal data, stop circulating the information, and have any third parties halt processing the data, if requested unless there are legitimate business grounds to refuse this request
- Data Portability: you must allow individuals to obtain and reuse their personal data for their own purposes by making it easily transferable across IT environments
- Privacy by Design: data protection, such as pseudonymisation, must be integrated from the onset into newly designed systems, to minimise personal data processing, and data must only be processed if necessary
- Data Protection Officers: for public authorities, or companies that are large scale (which the EU defines as >250 employees FYI) and engage in monitoring or processing sensitive data, a DPO officer should be appointed to facilitate the smooth functioning of data protection
Now you know what changes are going to come into effect, but I bet you’re wondering, how will they really effect you?
Well, basically, these restrictions on commercial data use are going to lead to a review of your business. You’re going to have to make sure you’re operating lawfully. Consequently, you may incur costs for strategy and legal compliance, and for you digital marketers out there, if you have a marketing database, it will need to be reviewed (and its number will probably dwindle). On the plus side, this change will inspire trust and confidence in your business from your customers and you will end up with more engaging marketing lists.
So what now? You know what GDPR is. You know why it’s being implemented and you know how it’s going to affect you. So what should be your next step?
Unfortunately, at EcorSys, we can’t give you legal advice but we can point you in the right direction:
- If you want to read about GDPR regulation in-depth, you can find it here.
- The ICO have a guide for GDPR which is essential for both consumers and those working within businesses.
- The EU GDPR guide details all you need to know and even has a useful countdown clock which countsdown the days until GDPR goes live.
- The EU’s Article 29 data protection group is publishing guidelines on data breach notifications, transparency, and subject access requests.