Privacy is something we as human beings all value, but it’s also becoming more and more of a commodity. Although there’s always a joking tone to it, people have become more paranoid about being spied on by the FBI and other governmental entities. Then there’s Internet Neutrality, which has changed the game in terms of online data.
Now, with the introduction of the GPDR in Europe, private data is again at the forefront of many people’s minds, as it should be. In this article, we’ll explain what the GDPR is, what changes your company might expect (even if you’re outside of Europe) and how to prepare for and comply with them.
What is the GDPR?
The General Data Protection Regulation, also known as the GDPR, was introduced on April 27, 2016, but has yet to go into effect. It involves those who are part of the European Union or EU and their personal data exporting to other parts of the world.
Essentially, the 1995 Data Protection Directive, also known as Directive 95/46/EC, will now be out of date. There’s no legislation required with the GDPR, which is different from Directive 95/46/EC. Any laws or rules under the GDPR are thus effective immediately.
Those EU member states will follow a single set of rules that mandate they have an independent supervisory authority or SA. This SA is in charge of managing and resolving administrative offenses and complaints.
Companies with a strong business presence across and outside of the EU will rely on a lead authority SA at its main headquarters. This SA becomes a one-stop shop and has all data from said company. There will also be a European Data Protection Board or EDPB that supersedes the Article 29 Working Party.
In all other instances, the GDPR has a data controller, which will oversee cloud service provider data for organizations, processors, and residents within the EU.
These processes are installed so personal data is protected, which is “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address,” by European Commission standards.
How Soon Will the GDPR Be in Effect?
According to the GDPR’s official website, these changes will officially begin on May 25, 2018.
What This Means for Your Company
If you’re part of the EU, you may be wondering what kind of changes to expect come May. Many companies, including our own, EngageBay, are recommending compliancy under the GDPR.
Do keep in mind that even if you’re not based in the EU but are in the United States or another major country, you will definitely have subscribers, customers, or clients who are based in the EU. That means that compliance is the best option to keep your customer base afloat in the long-term.
Not only that, but according to the official GDPR website’s FAQs section, there are penalties that will be charged to those who fail to comply with the new regulations.
These companies may receive fines as high as 20 million Euros, which is $24.49USD million OR the GDPR will take a cut of annual global turnover worth four percent or less.
Of course, these penalties will be enforced only if a company is found to be avoiding or misappropriating the Privacy by Design concepts of the GDPR as well as failing to make changes for compliance among a customer base.
If a company does not contact an SA regarding a data breach or fails to follow Article 28, which pertains to managing company records, they could be charged at two percent of their annual global turnover.
You may want to make the following changes under GDPR regulations to become more compliant, whether you’re based in the EU or elsewhere. Don’t wait until May to begin enforcing them. The sooner you’re compliant, the better.
Those changes are:
- Keep your contacts list backed up often. If you have subscriber proof of consent, this is even better, but it may not be mandatory.
- Change permissions on your opt-in forms. This will allow your customers to decide whether they want to receive emails from you in the future. You may want to consider adding a double opt-in as well.
- Whether it’s through a notice, a section on your website, or in an email, write a statement on how your company will manage sensitive data, such as the customer’s name, address, phone number, and email address.
- Also, let your customers know what you plan on doing with that data. Perhaps you will use it to offer customers relevant products or for email newsletter purposes. It’s best to spell this out as best you can on both your website and app (if you have one). This may seem unnecessary, but when trying to be compliant, it’s better to go to above and beyond, than to do too little.
- Make sure you give your customers an option to unsubscribe if they choose to do so. There should be a link to unsubscribe on your website and in your email newsletter.
- Don’t make it difficult for customers to unsubscribe. If they decide to opt out, that’s their right, especially now with the GDPR coming into play. Do not send further emails trying to get them to come back at this time.
- If a customer doesn’t know how to unsubscribe for any reason but emails you asking to be taken off the mailing list, do it for them. Follow up and let them know you did it.
- Similarly, if your company is the type that has customer accounts and logins, a customer may ask you to remove that account for them. Make sure you do so and again, inform them of what you did.
- Make sure the third parties you do business with are compliant as well. Even if you follow every step to be compliant for your own company, if you’re working with another company that isn’t, this could come back to you and lead to penalization. From public relations professionals to marketers, customer service management companies, and even email service providers, they must all comply. Consider dropping those who are not in compliance.
- Do a data security system audit before May to make sure you’re fully prepared for the GDPR.
- Get your own Data Protection Officer or DPO to ensure you achieve compliance every day with all customer relations going forth.
- If you have any other questions, you should hire an attorney so you can make sure there are no legal loopholes you may have missed.
The above-recommended changes are all good ones to implement immediately. Depending on the nature of your company, you may have to make additional changes as well.
Other Good Info to Know
Here is some other assorted information about the GDPR changes that’s worth keeping in mind as May approaches:
- Many companies in the EU that will be affected by the GDPR changes are hosting webinars in March, April, and even May. These webinars discuss what’s ahead as well as how to become compliant. Here’s one such webinar, and here’s another.
- The above compliance methods are not just for those businesses that operate within the EU or have clients from the EU. Many companies in the US typically have customers based in other parts of the world, including the EU, as mentioned. Therefore, it’s worth paying attention to the GDPR and becoming compliant no matter where you are based.
- You may want to host a training session(s) for your employees and vendors so they understand the GDPR changes inside and out. This will also be a good opportunity to go over the methods of compliance you plan for your company. The sooner you do this, the better.
- Although it probably won’t affect your business, you should still know how the GDPR impacts those who are 16 and younger. Right now, the age of consent is 16 years old, but it could be changed to 13 or older. Those who are 16 or younger will need parental consent when it comes to disseminating their personal data.
The General Data Protection Regulation or GDPR will change protections on personal data for those within the EU. Even if your company isn’t based in the EU, you likely have customers there, which means you will be affected by these changes as well.
Failing to comply with the GDPR regulations can lead to big penalization’s that will chip away at your company’s bottom line. You may have until the end of May before the GDPR is enforced, but that doesn’t mean you should ignore it until then. Instead, do your best to inform and educate your employees and clients about the changes that are coming. Then follow the above steps to ensure you’re complying with the regulations.
By being sensitive to the changing needs of your customers and clients and accepting that some may leave in light of the GDPR, your company should be able to navigate the regulations without difficulty.