GDPR: Everything You Need to Know
Friday, May 25th, marks the first day of a law that’s been two years in the making. In April 2016, the GDPR was announced and enacted a two year transition period for businesses in the European Union (EU).
Odds are you’ve received an email from some of the platforms you use, containing updated privacy policies, GDPR updates, and various bits and bobs that have you wondering, “What is GDPR?”
Most American businesses are quick to see “European Union” and think that this doesn’t affect them when in reality, the GDPR law is going to affect everyone. If you’re not ready for it, you’re not alone.
In a study of more than 800 business and IT professionals, a whopping 80 percent of businesses knew next to nothing about GDPR. Worse still, 97 percent of companies didn’t have a plan of action for the GDPR kick off.
GDPR will affect businesses around the world. In today’s digital age, we share personal information on dozens of websites. Do you know how your personal information is being used? The GDPR law is helping the EU keep better tabs on information.
Here’s what you can expect!
What is GDPR
GDPR, or General Data Protection Regulation, is privacy law that’s being implemented across the EU and the European Economic Area (EEA). It is the response to privacy concerns across the digital sphere. The GDPR applies to any company that stores or sells personal information of European citizens, including businesses on other continents. That includes the United States of America.
The purpose of the GDPR is to grant citizens more control over the protection of their personal data.
So, what constitutes “personal data”. According to the GDPR compliance language, personal data constitutes any information related to a citizen such as their name, photos, email addresses, banking information, social media profiles, location, and IP address.
GDPR is putting the power in the people’s hands. Individuals will have the right to:
- Access. Individuals have the right to request and see how their personal information is being used by a company, free of charge and in a digital format, if requested.
- Be forgotten. Individuals have the right to pull consent and delete any personal data once they are no longer customers.
- Data portability. Individuals have the right to transfer their data and personal information from one service provider to another. The data must be transferred on a common, machine-readable format.
- Be informed. Individuals must be informed that their data is being gathered. Once notified, individuals must give consent for their data to be gathered and/or used.
- Have information corrected. Individuals will have the right to update any out of date, incomplete, or incorrect personal information.
- Restrict processing. Individuals that the right to request that their information not be used.
- Right to object. Individuals will have the right to remove the process of their data being used for direct marketing. Individuals must be aware of this right when communication between user and company begins.
- Right to be notified. In any instances of personal data breaches, the individual must be notified within 72 hours of the first awareness that there has been a breach.
While the GDPR is an EU-based regulation, it will still affect American businesses. If you, or a client, deal with any overseas communication, you need to be conscious of how GDPR will affect the information you receive.
“However fast regulation moves, technology moves faster. Especially as far as data is concerned.” – Elizabeth Denham
How Will GDPR Affect Your Business
While you may not be situated in the EU, the GDPR poses quite a few qualms for businesses in North America and around the world. This is the beginning of an overhaul on how personal information is acquired, stored, and accessed. It is an unprecedented law that will serve as the foundation to transparency and increased visibility when it comes to personal information.
This also means it will become a little tricky to obtain consent from users. Consider your own digital practices: wouldn’t you be quicker to say, “Do not use my information” rather than “Do with it what you will!”
In this regard, companies are strategizing on the most efficient way to manage personal data and present it in a clear, concise manner without alienating their customer base.
The easiest GDPR example to understand is how email newsletters will change under the regulation. You may be familiar with the small font, slim line of text at the top or bottom of the email, presenting the option to unsubscribe. Under GDPR, that small text is no longer enough.
After Friday, users will need to actively provide consent and agree by filling out a form, ticking boxes to agree, and then confirming these were their actions in a follow-up email.
Don’t forget about that bulleted list above either. Companies must continue to provide time-stamped, comprehensive reporting of how personal data is being used and how they received communication in the first place.
This will affect how many companies get customers. If businesses purchase marketing or email lists, they must still reach out to those individuals and receive consent. If you pick up a few business cards at a tradeshow, you can no longer return to your office and input those emails into your company mailing list.
Businesses in the EU must adapt to how they collect customer information and think of new, creative ideas in order to do so.
You can see how this is a little nerve-wracking to businesses in the EU and beyond. It’s more than a business concern as well, but a monetary one as well. Businesses that fail to adhere to the GDPR will be fined.
How to Prepare Your Business
If you feel like breathing into a paper bag, we don’t blame you, but keep in mind that we’re here to help you. GDPR legislation is a big pill to swallow but it’s not an impossible task.
The best way to begin your GDPR planning process is to break it down into simple steps with byte-sized pieces (pun intended).
1. Map Your Businesses Data
The first tick on your GDPR checklist is mapping your data. It will be overwhelming at first but take a deep breath and get lost in the logic of it!
Strategize with your team to determine the best way to map where the personal data is, who has access to it, and any potential risks.
2. Determine What Stays and What Goes
Sifting through your company’s data is a great time for some digital Spring cleaning. Determine what personal data and information is useful, and what your team can do without. You may find that a lot of your data is old, unnecessary, and waste of digital space.
As you go through data, ask yourself why you’re keeping the data, whether your team plans to archive or erase the data, and how to categorize the data.
3. Ensure Security Measures Are Locked and Loaded
Now that all information must essentially be see-through, the last thing you want is a data breach. As you go down your GDPR checklist, don’t skim over security. Now is the time to ensure that your data is secure and that safeguards are up-to-date and reliable.
Communicate with any outside security sources that you use and ensure that both of your security measures align.
4. Review Consent Forms and Documentation
GDPR is all about consent and visibility. Create forms and documentation that explains the policy changes in a clear, comprehensive manner.
5. Establish Guidelines for Future Personal Data
As we mentioned above in our handy-dandy bulleted list, individuals have the right to request their data and see how it’s being used. Be proactive and establish a procedure to accurately provide this information, if requested.
Determine how your team will ensure that their information is being used properly, the process of deletion, how to transfer data, and how to communicate with an individual in case of a data breach.
Create templates, responses, and step-by-step guide now to avoid a headache in the future.
The Post-GDPR Digital World
It’s no secret that data is a currency in the digital world. Under the GDPR legislation, personal data will become even more valuable.
While many businesses are nervous to enter this brave, new world, GDPR is giving businesses the opportunity to hone in on their strengths and identify areas of weakness. This transparency will also give users a renewed sense of trust and loyalty in your business.
Create a plan of action today and begin mapping out your business’ data to stay ahead of the curve!