GDPR stands for General Data Protection Regulation. It’s a game-changing data privacy law set out by the EU, and it’s going to be enforceable from May 25th, 2018.
But don’t be fooled by the law emanating from the European Union. Your company being based in the US or elsewhere won’t save it from the (rather hefty) penalties that the EU has promised to impose should a brand fall short of GDPR compliance when dealing with EU citizen data.
So, now that you know why everybody is freaking out over GDPR, let’s dig a little deeper.
GDPR consists of a long list of regulations for the handling of consumer data.
The goal of this new legislation is to help align existing data protection protocols all while increasing the levels of protection for individuals. It’s been in negotiation for over four years, but the actual regulations will come into effect starting May 25th, 2018.
All of the reforms going into effect are designed to help customers gain a greater level of control over their data, while offering more transparency throughout the data collection and use process.
These new laws will help to bring existing legislation up to par with the connected digital age we live in. Since data collection is such a normal and integral aspect of our lives both on a personal and business level it helps to set the standard for data-related laws moving forward.
Put simply, GDPR is a regulation that you’ll want to take seriously. Below we dive into what this regulation is, the demands of the legislation and how it could impact your day-to-day business.
Let’s be frank, GDPR compliance is something that the biggest companies in the world are currently grappling with, and will likely grapple with up until the deadline on May 25th, 2018 (and maybe even beyond).
Even if we distill GDPR compliance down to the basics, there are a lot of requirements you’ll have to implement to make sure you’re in line. Here’s what you should start thinking about:
Your terms of consent must be clear. This means that you can’t stuff your terms and conditions with complex language designed to confuse your users. Consent must be easily given and freely withdrawn at any time.
If a security breach occurs, you have 72 hours to report the data breach to both your customers and any data controllers, if your company is large enough to require a GDPR data controller. Failure to report breaches within this timeframe will lead to fines.
If your users request their existing data profile, you must be able to serve them with a fully detailed and free electronic copy of the data you’ve collected about them. This report must also include the various ways you’re using their information.
Also known as the right to data deletion, once the original purpose or use of the customer data has been realized, your customers have the right to request that you totally erase their personal data.
This gives users rights to their own data. They must be able to obtain their data from you and reuse that same data in different environments outside of your company.
This section of GDPR requires companies to design their systems with the proper security protocols in place from the start. Failure to design your systems of data collection the right way will result in a fine.
In some cases, your company may need to appoint a data protection officer (DPO). Whether or not you need an officer depends upon the size of your company and at what level you currently process and collect data.
Failure to comply with GDPR can result in some pretty hefty fines. The fines will range from €20million, or up to 4 percent of the offending organization’s annual revenue — whichever is greater. Now that’s a serious fine.
For lesser offences, the fine will be halved to €10million, or up to 2 percent of the offending organization’s annual revenue — again, whichever is greater.
(Finger’s crossed your company is compliant)
The higher level fines will be reserved for cases in which data infringement occurs, procedures for handling data aren’t in place, an unauthorized transfer of data occurs, or requests are ignored for customer data access.
The lower level fines still apply to the misuse of data, but on a minor scale. For example, failing to report a data breach, failing to notify your customers about the recent breach, or failing to administer the correct data protection protocols.
The extent of the fines your company will receive depends upon how severe the breach is, and the compliance actions you’ve taken as a result of the breach.
GDPR will bring about a new level of transparency into data collection, storage and usage. If your company is traditionally secretive about its data, you’ll need to make a very dramatic turnaround in line with the seven points above — as well as all the other minutiae.
For most companies, GDPR will create the need for greater compliance spending. Both in ensuring your operational processes are up to the latest standards, but also ensuring your existing technology is designed and optimized to the latest protocols. Plus, some companies and organizations will have to hire a compliance officer to help monitor and manage any data collection campaigns.
However, these additional expenses shouldn’t be solely viewed as an expense. Instead, it can be classified as an investment that’ll help to inspire trust and confidence in the eyes of your customers.
Companies that abuse data privileges will start to be viewed less and less trustworthy in the eyes of the public — particularly if they’re hit with those profit margin-busting fines. On the flip side, the companies that value access and use of their customer's data and treat it as a privilege, instead of a right, will help to solidify themselves as trustworthy businesses into the future.
GDPR is a complex topic, and although this article will help you to grasp the basics, you and your legal team will need to go through the legislation with a fine-toothed comb.
But the verdict is pretty clear from the offset: GDPR is an aggressive swing in the face of data abuse, and it puts all the power in the hands of the citizen when it comes to their data. Thus, there’s only a handful of organizations on earth with interests in the EU that don't need to make some changes.
And yet, it’s important to view these as a way to better protect your customers, and improve your own internal customer data handling procedures. To make GDPR an easier pill to swallow, view it was a positive force that has come to safeguard consumer data rights in our increasingly accessible world. And just as it protects the consumer, it also protects organizations from overstepping their boundaries.
As such, these new laws are completely necessary, even if they require a bit of an adjustment period upfront.
How are your GDPR preparations coming along? Let us know in the comments section below!