We’re sure there was one thought that came into your mind.
‘WTF is GDPR, and why should I care?’
Well, if you’re a business owner, there is a very good reason why you should care. Or should we say, up to €20 million worth of a reason. After all, according to the European Union General Data Protection Regulation (GDPR), the new privacy law in town, that is the amount an organization can be fined for not complying with its rules (of course- it’s not a flat rate, the penalty is either 20 million euros, or 4% of your annual global financial turnover, whichever higher).
The law went live, so to say, on 25th May, 2018, and now, it is more important than ever for you to know how this can affect you- as a business, a marketer, and a consumer. Here’s a handy guide that will walk you through the basics of this law, and what changes you might have to take up!
What is GDPR?
Let’s start with the basics. The European General Data Protection Regulation is a law that aims at giving citizens and residents more control over their personal data. On the business side, it hopes to establish a clear standard for data protection and sharing among all international businesses associated with the EU.
As per the current regulations, there are quite a few significant changes, compared to the 1998 data protection laws.
- The definition of personal data is wider. Besides name, contacts, medical information, etc. it also includes IP addresses and digital information.
- User consent is of utmost importance. As a company, you need to have a legal reason to collect and store personal data. This consent has to be given for each separate project and plan.
- User’s rights are paramount, since the rights have been broadened. The users can request to have the data erased, or transferred, or corrected. They can also alter the way the data is used.
- Do not forget the documentation! You’ll have to keep records of clear and unambiguous consent from all your users, recording the reason for which their data is going to be used.
- The rules apply to any data that you might use in your business. Even if you have purchased the data from a third-party, and the third-party has not been compliant to the regulations, you’ll be in breach of the law.
Who does GDPR apply to?
In short, almost every business, if you have any connection to the EU.
To elaborate, the GDPR law applies to all the businesses established in the European Union, and can also apply to companies not based in EU, if they process the personal data of any EU citizen during the course of their business activities.
If you’re currently not present in EU, and might have customers from the continent, you’d still have to be compliant to the law. If you’re planning an expansion in the future, you should plan your business expansion keeping the requirements of the law in mind.
Will GDPR apply to me, even if I’m a small business?
Contrary to a lot of rumours floating around, the law will apply to any business, including those who will be qualified as small business (so even if you have fewer than 250 employees, you’ll still have to comply with these regulations).
What counts as personal data?
According to the GDPR law, personal data (also known as personally identifiable information, in US), can include any and all of the following:
- Basic identity information (name, email ID, address, phone numbers)
- Web data (IP address, cookies, location tags, RFID tags)
- Biometric data
- Health data
- Sexual and gender orientation
- Political opinions
- Racial and ethnic data information
How can I make my business GDPR compliant?
Whether you’re a small business, or a large one, there are certain steps you can take in order to keep your business GDPR ready!
- Know your data: Understand, track, and record all the personal data that you hold, and where you’ve received the data from.
- Get consent: Are you relying on consent to use personal data? This will get more difficult, as the consent needs to be explicit, and not hidden under terms and conditions.
- Update your security processes: Understand what data processing technologies and data encryption tools you should be using, to prevent any breaches on your part.
- Train your personnel: As per the GDPR, you might be required to employ a data protection officer, but your entire organization should be trained on how to handle and store the data, as well.
- Know your supply chain: As a business, you have to ensure that your supply chain is GDPR compliant, so that you’re not slapped with any penalties for external breaches.
- Don’t hold on to old data: You should not be holding on to old data, for any longer than absolutely necessary, or for any other reasons beyond what the individual has consented for.
- Keep a track of the consents: According to the GDPR, the consent cannot be hidden in small print, but mentioned clearly and explicitly in all your communications (website, emails, and cookies). No hiding behind pre-ticked boxes, or inactivity clauses any more!
- Update those privacy noticed: Update your privacy notices, both internally and externally. You will also need to email all the people who are on your current database, to get their explicit consent.
I’m a marketer. What are the changes I have to make in order to comply with GDPR?
If you’re an online marketer, you’ll definitely have to understand the responsibilities of data controllers and processers.
- As a data controller the GDPR will hold you liable for data collection, storage, usage.
- A data processor is one that operates on the data that is currently available- including storage, recording, sharing, erasure, etc.
These two are interlinked, as a data controller would be a processor as well. However, let’s take an example here. You’re a marketing agency, using a contact management software. In this scenario, you’re the data controller, and this third party software is the processor. Both of you will have to be GDPR compliant.
If you’re engaging in social media marketing, you don’t have to change how you post content on your page, as this does not constitute data collection. However, you’d have to avoid exporting or storing contact details from the social media followers (which will constitute personal data). If you are using social media to drive your website traffic, and you’re analysing this web traffic, you’ll have to get consent from the social media users for that.
If you’re undertaking paid social advertising on Instagram, Twitter, or Facebook, you will have to get explicit opt-in from the customers.
This sounds complicated- how does this benefit me, as an organization at all?
In the noise about how expensive it can be to be non-compliant with the GDPR, we might lose track of how this can actually benefit businesses. How can it help you? Let us count the ways.
- Greater trust among customers: The GDPR can improve customer’s trust in your company, and how you’re utilizing the data that is being shared with you.
- Organic marketing and better conversions: Since the people who are still in your mailing and ad lists are those who have opted in, your money and efforts will be spent on those who are genuinely interested in your business. This can increase the conversion rates for your business. Hello, better ROI!
- Better data management: In order to be compliant to this law, you have to know what data you track of your customers, and for what purpose. This means you will have to audit all the data you currently have and put a good data management process in place. This will give you an opportunity to put a robust system in place, and get rid of any obsolete data your organization is still storing.
How does GDPR help me, as an individual?
One of the main reasons why GDPR was put in place is to improve how your data is stored and used by companies. As an individual, there are countless benefits for you, including:
- More privacy: Signed up for one particular newsletter, but you’re getting hundreds more suddenly? You will not have to worry about that, now that GDPR is in place. Businesses can collect and store your data only for specific purposes, so your data will definitely be more private.
- More security: Since there are extremely strict rules regarding storage and communication of data, the likelihood of serious breaches will go down significantly.
- Better ads for you: Instead of spending significant amount of time deleting spam marketing emails, you will only receive marketing mails from the places that you have actively consented to be contacted by.
Who’s the regulatory authority for the GDPR?
There are supervisory authorities in each EU country, who will be the regulatory authority when it comes to GDPR. All the complaints regarding business, and user privacy will be lodged with the supervisory authority of the relevant country, and processed in the same place.
Who within my company will have to be responsible for compliance?
There are several roles that have been identified within the GDPR code (as we mentioned- you need to appoint a data protection officer (DPO). There are also several other roles including data controller, data processor and more.
However, a good rule of thumb would be to ensure everybody in your organization knows about the GDPR- as good data governance has to be democratic after all!
Still confused? Keep on researching, or even better- get a legal consult to help you draft your new policies. Better safe than sorry when 4% of your annual turnover will be on the line! Drop us a mail at firstname.lastname@example.org.