From May 25th 2018, the European Union will be enforcing the General Data Protection Regulation (GDPR). While the law is designed to protect the personal data of EU citizens, the act is the first of its kind in a number of ways: it applies to all organizations with which EU residents can interact; compliance will be enforced globally; and fines will be far higher than existing rules.
With time running out to fulfill the new regulations before they are brought into effect, Sage have compiled useful information to explain the consequences of non-compliance and how to become so before it is too late.
If you are a EU-based business or you collect data from EU residents, here is what you need to know.
What is the GDPR?
Two out of three Europeans are concerned about how their information is stored and used online. This worry has been further embedded by the recent reveal that Cambridge Analytica used Facebook user data without permission to create targeted political ads, adding to the concern that online personal information is not being managed safely and responsibly by businesses collecting their data.
Early attempts had been made to control how user data was collected and stored, such as the outgoing Data Protection Directive (DPD). Unfortunately, with changing technology, businesses exploiting the use of “offshore” servers and organizations manipulating customers to share their personal data, the DPD has proven insufficient for Europeans who want more control over how their personal data is used.
Consequently, the European Commission has responded by creating the GDPR, which comes into effect in just a couple of months. The regulation not only expands the definition of what is considered personal data but will be applied on a global scale. Any organization collecting data on Europeans is subject to compliancy rules—and punishment for non-compliancy.
What are the rules of compliance?
Server location out; Customer residence in
Under the outgoing DPD, most non-EU businesses and organizations could get around the EU’s data protection regulations as they only applied to servers hosted inside European countries. This is no longer the case.
As of May 25th, any organization collecting data on any EU resident must comply with the GDPR or face heavy penalties.
The definition of “personal data” is changing
Back in 1995, when the DPD was first enforced, the internet was still new to many of us. As a result, lawmakers didn’t have a clear idea of what data was important for identifying users. Thus, only the more obvious identifiers were included in this definition: name, picture, email address, phone number, mailing address and any other ID numbers (social security, bank account number, etc.).
The GDPR is updating this definition to use other data commonly used to profile users and to target them with marketing material: IP address, geolocation, behavioral data, biometric data, demographic data and mobile device identifiers.
Compliance requests defaulted to “opt-out”
If you would like to collect customer data, such as their e-mail address, for the purpose of contacting the user at a later date with promotional offers, marketing material, etc. you will no longer be allowed to default the option as “opt-in”. Any boxes that need to be checked will have to be unchecked to begin with so it is clear the user has actively chosen to have their data added to your mailing list.
Equally, options to opt-in must be obvious and clear, i.e. as a pop-up on your website. It is no longer permissible to place the option in the terms and conditions where it might be overlooked.
No “data scraping”
As with the case currently concerning Facebook and Cambridge Analytica, organizations will be forbidden from gathering customer data by any other means besides that which has been consented by the user themselves. This includes scouring social media sites, like Facebook or LinkedIn, for user data and then adding their email addresses to your marketing campaigns.
Basically, if the user hasn’t expressly given your organization permission to use their personal data, it is forbidden.
The GDPR also requires organizations storing the personal data of EU citizens to ensure the servers hosting the data are properly secured, so to avoid any data breaches or theft of said data.
If you use a third-party business to manage your customer data, including a customer-relationship management cloud-based company, it is still your responsibility to ensure they are compliant.
The right to be forgotten
Finally, the GDPR hands more control back to the customer over the storage and use of their personal data. If the EU resident contacts you to know what data you have stored on them or if they raise a request to have that data deleted, you must comply with their wishes right away and free of charge, contacting them via electronic format. This doesn’t only include the data defined above as personal data, but any client information stored on servers, in cookies or in any documents or emails (including those that have been archived).
What are the penalties for non-compliance?
Unfortunately, with only two months to go before the rules are to be enforced, not everyone is ready. Out of 340 businesses surveyed, 55% still don’t have a fully formed plan for complying with GDPR, and of those that do, 33% lack confidence in that plan. Furthermore, 56% are unclear of the consequences of non-compliance, which are much more severe than previous regulations.
Fines of up to €20 million or 4% of global turnover
To put this into perspective, until now, the Information Commissioner’s Office (ICO)—the regulator responsible for upholding information rights in the UK—was previously only able to issue fines of up to £500,000 (€580,000) for breaches of DPD regulations.
As well as any fines issued by regulatory bodies of the EU member states, organizations that fail to comply with the GDPR could also face legal claims by the customers themselves.
While not a legal consequence for non-compliance, it is likely that any failure to comply with adequate protection of user data will be met with damning and public reports, which could impact customer trust, market success and company investment.
Who will be most affected?
EU citizens have made it very clear that they not only support the arrival of the GDPR but 48% of those surveyed have expressed they will be actively enforcing their rights, especially older clients. Over 40% of social media users have said they will be writing to organizations to remove their personal data, while online retailers, supermarkets, political organizations and energy suppliers can also expect to receive requests from about 30% of their EU-based clients.
What are the benefits?
Fortunately, it isn’t all doom and gloom. In fact, while the consequences of non-compliance are rather severe, there are also a number of attractive benefits for complying with GDPR.
71% of organizations think complying will improve overall data governance
Because the GDPR rules are so explicitly defined to protect EU user data, applying the rules to your customers as a whole will ensure you not only protect their data, too, but improve overall data governance, information security and management.
37% of organizations believe compliance will improve their overall IT
Similarly, complying with GDPR presents an opportunity to update IT in general. This could be especially useful for small businesses (those with less than 5,000 employees) and government organizations, who are currently the least prepared for the new regulations.
30% of organizations believe compliance will improve their public image
Being compliant with GDPR is likely to be extremely popular with clients everywhere, not just those in the EU. It gives an indication that your organization has the necessary infrastructure in place to protect data and use it responsibly, as well as putting the needs of the customer first; improving the organization’s image and customer satisfaction is likely to lead to improve market performance and repeat customers.
How to prepare
So, now that you know what GDPR is and the cost of non-compliance (as well as the benefits), how should you start putting a plan into action to meet the requirements?
Draft letters of response
It is likely a high number of clients will request their data is shared with them or removed very soon after the GDPR is brought into effect. You will have a responsibility to respond and comply quickly. Write template letters of response now to avoid any delay later on.
Create policies for providing users with their data or to thoroughly delete data
Equally, you should draw up policies for each of the users’ requests, so you and your staff know what they need to do to be able to respond quickly and efficiently. This will not only save you time and trouble later on but will keep the client happy and prevent any bad press.
Check your data servers are secure
Check and, if necessary, update the security of the servers you use to store and manage customer data. Use effective encryption to prevent any data breaches.
If you use a third-party, check they are encrypting data effectively. If their encryption is insufficient, or if they are selling your customers’ data to other parties, sever your business with them and find a more reputable company to manage your CRM strategy. Remember, even if you use a third-party CRM company, you will be liable for any fines if the data isn’t secured properly.
Update your terms and conditions and any opt-in/opt-out options
Any references to personal data being collected in the terms and conditions should be removed and placed somewhere that is more obvious and clear, such as a site pop-up or in a visibly obvious place as part of a sign-up form. Also, any boxes that can be checked should be defaulted to “unchecked” and the wording rephrased so that only checking the box will sign the user up for any marketing or mailing lists. In other words, you can’t use a phrase like “leave the box unchecked to receive more marketing material.”
Depending on how well your organization currently manages user data, there may or may not be a lot to do to be compliant for the incoming GDPR. Either way, if you do business with EU residents in any way, ignorance is not an excuse; you must seek to be compliant now if you want to ensure you won’t face any hefty fines or damage to your reputation later.
Fortunately, there are also numerous benefits which will be gained in the long-term. Following our advice here won’t only remove the worry of consequences for non-compliance but will provide your organization with a popular policy which will impress users around the globe.