Have you noticed all the updates to privacy policies and terms and conditions on the websites you visit? You may have thought it had something to do with the Cambridge Analytica debacle on Facebook but though the topics are similar, it’s simply a coincidence in timing. These changes are caused by the General Data Protection Regulation which I’m pretty sure you don’t know much about so I wanted to make sure you understood more about how it impacts you and how to be GDPR compliant.
What is it?
General Data Protection Regulation (GDPR) is a regulation in the European Union on data protection and privacy for all individuals within its borders. The GDPR aims to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulations in the EU.
Consent is essential. Under the GDPR, individuals have:
- The right to access – this means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge, and in electronic format, if requested.
- The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
- The right to data portability – individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine-readable format.
- The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
- The right to have information corrected – this ensures that individuals can have their data updated if it is out-of-date, incomplete, or incorrect.
- The right to restrict processing – individuals can request that their data not be used for processing. Their record can remain in place, but not be used.
- The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
- The right to be notified – if there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
When did it start?
The regulation was adopted in April 2016 with a two year transitional period. It becomes effective May 25, 2018.
Does it affect me?
It does if:
• You are a data subject (person based in the EU).
• You are a data controller (an organization that collects data from EU residents)
• You are a data processor (an organization that processes data on behalf of a data controller such as cloud service providers)
Currently this does not apply to processing of personal data for national security activities or law enforcement. This is up for potential changes.
How do I ensure compliance?
You may think that this doesn’t impact your non-EU based business but it does. It protects the residents of the EU so if there’s any possible way you have personally identifiable information on an EU resident, then you must be in compliance.
First, understand more clearly what GDPR is. The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights has a small organization self-assessment I recommend. I really like the Hubspot checklist I found for a nice clean list of questions to ask yourself or your team. Hubspot’s checklist includes assessment, a project plan, setting procedures and controls, and documentation.
You will also want to contact a lawyer to make sure you have completed the steps in a satisfactory fashion.
Your organization will have to review business processes, applications, and forms to be compliant with double opt-in rules and email marketing best practices. You must be able to prove that consent was given in an instance that a customer objects to receiving the communication. This means you’ll need an audit trail with time stamping and reporting information detailing how the subject opted-in and how that occurred.
What happens if my business is not in compliance?
Any company processing, storing, or using data related to an EU citizen is subject to citations and fines for non-compliance. If you don’t comply with the new GDPR, fines up to 4% of your global revenue or €20 million, whichever is greater, may be levied.
There are only an estimated 21% of U.S. businesses that have a plan in place. If you are reading this, that probably means you belong in that unprepared 79%. Compliance will vary by company and industry. This is important for smaller companies because fines will most likely wipe out an organization with smaller revenue.
What happens if we’re not ready by May 25, 2018?
Many organization are not ready. We don’t know how quickly the EU is going to be able to enforce this. But NOW is the time to get started.