Welcome to General Data Protection Regulation 101, aka your guide to all things GDPR. If you’re just beginning to tackle this, we’d recommend grabbing a hot cup of coffee (skip the splash of whiskey for now) and prepare to soak up all the information. Here’s what you’ll learn:
1. What the new legislation entails
2. How this legislation affects your business
3. What your company needs to do
4. The consequences of non-compliance
5. The hard deadline…which is May 25th, 2018.
Woah panic! That’s so soon! Do these changes affect my company?
GDPR applies to any EU company, any company (EU or not) collecting personal data on people located in the EU, or any company doing business in the EU. Essentially, yes. Ok, but what about Brexit? The EU has stated that the UK Government will implement an equivalent or alternative legal mechanisms. Our advice, just comply.
Why the change?
In this rapidly moving digital and technological age, it’s about time we changed a 21-year-old regulation. Until now, it’s been up to the individual countries to enforce and pass laws on the subject. The problem however, is that organisations aren’t providing transparency on where the data resides, who can access it, when they can access it, or what happens once accessed. This includes names, photos, e-mail addresses, social media posts, personal medical information, IP addresses, browsing cookies, location data and bank details. Looming security threats violate fundamental personal data and privacy rights, which makes providing a structure and implementation plan crucial.
Consent is Crucial
Companies will need to explain what information they’re collecting, why they’re collecting it, and who else (if anyone) will see it. Requests for information must be clear and stated in plain language separate from any lengthy terms and conditions. This means ‘opt-out’ is out. You must actively request for people to opt-in without swaying their decision by tentatively ticking a box. This gives the consumer a greater level of transparency as to what information companies will be privy to as well as ownership.
Consent applies on every level of interaction. Let me explain. Imagine you have a consumer perusing your website. By collecting their patterns of movement (analytics), you are better able to tailor their experience and/or purchase. Just like how Facebook tracks their users’ movements to aid brands in delivering paid content to their respective target consumer. Should your site have an e-commerce component, that site then stores even more information, such as previous purchases and customer identity. What this means, is that data gets stored into multiple channels: analytics, e-commerce, shopping history, identity, and typically a third-party system who handles the checkout process. That’s a lot of information being stored in a lot of different systems with a potential for data breach. The user must consent to each of these things, meaning the company must be equipped to handle the data path of each user.
Now, let’s say a user has purchased something from your site which prompts the user to receive a confirmation e-mail. This type of e-mail does not require consent as it is transactional. Sending a follow-up e-mail with something to the effect of ‘We’re grateful for your business, here are more items you might enjoy,’ however, is e-mail marketing, and therefore requires an opt-in.
The same applies to sales e-mails… Remember that prospective client you met at a conference who handed you their business card? A business card does not qualify as consent to be e-mailed a sales pitch. Crazy right? This is where the old-school cold call will work in your favour as calls are not regulated under GDPR.
Feel free to dump the whiskey into your coffee right about now…
But before you do, think about it. Purging data and asking your users to opt-in will paint a clear picture of who your loyal consumers truly are. That means you’ll be able to build a community of highly engaged users, tap into their interests and build a solid database. That equates to more return on investment, a highly focused marketing strategy, and streamlined approach to data collection which minimizes risk.
That’s all well and good, but what about Facebook not being able to mine as deeply for data? Our business relies on their targeting to be able to grow our fan base, deliver giveaways and interact with consumers. Fair. But it’s time to think outside the box. How can you motivate your current fan base to attract new followers and build community? Are you jumping on community building techniques like Facebook Groups and Live video where relevant? What e-mail marketing campaign can you deliver to push people towards social media? The possibilities are endless, and the Occupi team can take care of those worries.
What you need to do: The regulation applies to anyone in your current database (including employees, vendors, customers, anyone whose data you choose to collect). Furthermore, those whom you have been in contact with prior to the May 25th deadline fall under this category. This means you must go back and ask everyone for his or her consent to keep him or her in your database. You must also let them know what they have ‘opted in’ for, so that they may alter the information they receive. This must also be achieved with third parties (vendors, fulfillment, payroll, pension, etc…).
More than ever, it is important you keep records of how people have given you their information. Take screenshots of opt-in pages or whichever metric you have used. There needs to be a clear data map including the date of opt-in, what information is stored, why it is stored, for how long it will need to be stored and any opt-outs.
More information can be found in Articles 7 & 8.
Now that the user will be given full transparency on what their information is being processed for, you can understand the need for meticulous documentation. The user can be privy to the purposes of processing, the categories of personal data concerned, third-party sharing, and the envisaged period for which the information will be stored. Any and all information you have on an individual must be made easily accessible and digestible. This means that if a person requests to see what information a company has on file, the company must be able to produce a document detailing all of this. The user will also have the right to have their information rectified by the company immediately.
Seems pretty straightforward right? Well, not really. Here’s why. Let’s say you’re hosting an event and you require dietary information. This might mean your company learns of personal information such as religion (via halal or Kosher answers) that the user never intended for you to know. Your company needs to ensure the information is only used for the purposes outlined to that user. The same applies for data profiling. When a user provides you with their age for age verification purposes only (for example), you may not then use that information to categorize them into a specific age group range (ie. Women aged 20-30).
What you need to do: Get your ducks in a row. Make sure you have all of the information above to hand. Cover all of your bases. Our advice? Only collect what you really need, only share what you really need and only keep what you really need for whatever time you require it.
More on this topic in Articles 15 to 17 and 20 to 24.
Erasure/Right To Be Forgotten
If a person requests for their information to be deleted, the company must comply and have it take effect immediately. The information must be erased from any third parties as well. Should that individual still receive communication despite revoking consent, your company could incur a hefty fine if reported.
Equally, if the person requests their information to be sent to a third party on their behalf, the company must comply.
Now, there are some cases where you cannot remove the data. Examples might include data required for tax purposes or data that is only accessible through means that would cost the company millions. The company would simply need to be able to prove their case to the GDPR for why they must keep the data.
What you need to do: If you’ve taken the steps outlined under ‘Data Access,’ deleting a person’s data should be quite simple. Respect their decision. If for some reason you still require their data, be prepared to show evidence for your case.
Visit Article 17 for more information.
Protection & Security
The GDPR is now holding each company (controller & processor) responsible for the protection and security of the data they have access to. This means that there must be a plan in case of data breach.
What you need to do: Get really clear on your data mapping. You must be able to show the EUGDPR documentation of the business process for compliance. This includes listing all systems that house data, third parties, who in the company has access to that data, and how long you intend to keep said data. It must also include the data that the company has deleted, data portability, and consent paths for all users.
Once that’s accomplished, create a plan for data breaches especially if you are working with a processor (third party). Ensure you review your privacy notice as well.
Find out more in Article 32.
What happens if there’s a data breach?
You’ve got 72 hours to report the incident to the appropriate data protection agency. 72 hours is 72 hours. That means you may need to work over the weekend and have the capability to do so. You must also inform the affected individuals immediately. The data controller and processor are equally responsible. Which means, get on top of your incident response plan straight away.
What’s the penalty for not complying?
If you get caught not complying, that can mean fines of 20€ million or 4% of the company’s worldwide annual turnover. They’ll slap you with whatever fine is higher. Kind of. That’s the worst-case scenario. Otherwise, fines work on a tiered system, including 2% of turnover for not taking appropriate measures to keep records in order.
Authorities are relying on consumers to make a claim, rather than deep-diving into every company’s state of data protection. So as long as you’re complying, have carried out all of the impact assessments and audits, you should be in the clear.
Deep breath. You’ve made it. Now that you have the low-down, you can figure out a plan of action. It can be pretty daunting but it’s simply a matter of getting started. Or you could just sit back with that whiskey and rely on the Occupi Team to do it for you…