Don’t bury your head in the sand on GDPR!
When you hear of the European Union new regulation, the General Data Protection Regulation (GDPR). The changes regarding Data security, Data Collection, and Documentation Plans we should pay attention.
Does your business control or processes data of EU citizens regardless of your location? What about your clients?
You may think …well this doesn’t affect us, but that kind of response brings to mind the person figuratively burying their head in the sand, ignoring obvious facts or refusing to accept advice, hoping that simply denying the existence of a problem will make it go away. This new regulation affects us in more ways then we think.
In the EU this is mandatory regulation, for all the rest of us, this is an excellent time to review our plans, adjust and verify contacts in your customer and prospect lists. Because while it may not affect us directly, there will be a potentially huge ripple effect within our industry.
This article will cover what the GDPR is, why it matters to non EU businesses, and how to move towards compliance. Keep in mind however, that you should work with your data privacy expert, advisor or lawyer if you’d like advice on your interpretation of this information or its accuracy.
What does this have to do with non EU businesses!?
The GDPR is for those doing business with EU members, not just those within the EU. Even if you do not do business with EU members and it does not directly apply to your business at this moment, you should still be aware of what it is how to be compliant. Here are a few reasons why:
1) Your clients may do business with others in the EU. Some of your business clients likely have clients and ship products to these clients. Part of your expertise as their risk management adviser would be to educate them on the GDPR so that they are compliant. First you have to understand it then you can help them to understand it.
2) It may soon be required of you. Just because the GDPR is in the EU does not mean that the US or even your state government won't soon adapt similar legislation. Unless you've been living under a rock, you know that there is a lot going on with personal information. Why not at least be prepared for it so you are not scrambling around last second hoping to be compliant.
3) It's a good business practice. With all the scrutiny over business's improperly handing personal information and businesses being hacked consumers are worried. And they have a right to be. You can provide your clients a level of security that others are not providing by adapting to these compliance regulations. It is a great thing to be able to tell your clients that their well-being is in your best interests so you are taking more the initiative of strengthening your policies regarding their information.
The GDPR is all about protecting the data of your clients. Even if you are not required to comply, it is still in your clients best interests. Now let's explore what it actually is.
GDPR and What is it?
The General Data Protection Regulation, whether you’re B2B or B2C, big or small, you’ve probably heard about the EU’s new regulation, the General Data Protection Regulation (GDPR). This a new set of laws aimed at enhancing and outlining the protection of EU citizens’ data and increasing the obligations of organizations to deal with that data in transparent and secure ways. The GDPR applies not only to EU-based businesses but also to any company that controls or processes data of EU citizens regardless of their location.
Even if you are based outside of the European Union and market your products or monitor the behavioral of people in the EU, the GDPR applies. So while this may not apply to you entirely, you likely have clients who do business with those in the European Union.
You can never be a 100% protected, but to proactively take preventive measures ensuring protection and privacy of prospects and customer data is a best practice no matter where you live or do business.
Companies should work to assess their own data collection and storage practices (including the ways they use marketing and sales tools), seek their own legal advice to ensure that their business practices comply with the GDPR.
Complying with the GDPR
Ensuring all aspects of your business are compliant can be a challenge if you do not know where to start. Hubspot created a checklist of questions to determine how to comply and what your next steps should be. Here are the four aspects of the checklist:
- What personal data do we collect/store?
- Have we obtained it fairly? Do we have the necessary consents required and were the data subjects informed of the specific purpose for which we’ll use their data? Were we clear and unambiguous about that purpose and were they informed of their right to withdraw consent at any time?
- Are we ensuring we aren’t holding it for any longer than is necessary and keeping it up-to-date?
- Are we keeping it safe and secure using a level of security appropriate to the risk? For example, will encryption or pseudonymisation be required to protect the personal data we hold? Are we limiting access to ensure it is only being used for its intended purpose?
- Are we collecting or processing any special categories of personal data, such as ‘Sensitive Personal Data’, children’s data, biometric or genetic data etc. and if so, are we meeting the standards to collect, process and store it?
- Are we transferring the personal data outside the EU and if so, do we have adequate protections in place?
The GDPR Project Plan
- Have we put a project plan together to ensure compliance by a specific deadline? (May 28th, 2018 if you need to follow the GDPR's guidelines)
- Have we secured buy-in at executive level to ensure we have the required resources and budget on hand to move the project forward?
- Do we require a Data Privacy Impact Assessment?
- Do we need to hire a Data Privacy Officer?
- Are we implementing a policy of ‘Data Protection by Design and Default’ to ensure we’re systematically considering the potential impact that a project or initiative might have on the privacy of individuals?
- Have we considered how we handle employee data in our plan?
The Procedures and Controls
- Are our Security team informed to ensure they’re aware of their obligations under the GDPR and do they have sufficient resources to implement any required changes or new processes?
- Do we have procedures in place to handle requests from data subjects to modify, delete or access their personal data? Do these procedures comply the new rules under the GDPR?
- Do we have security notification procedures in place to ensure we meet our enhanced reporting obligations under the GDPR in case of a data breach in a timely manner?
- Is our staff trained in all areas of EU data privacy to ensure they handle data in a compliant manner?
- Do we review and audit the data we hold on a regular basis?
- Do we have a defined policy on retention periods for all items of personal data, from customer, prospect and vendor data to employee data? Is it compliant with the GDPR?
- Are our internal procedures adequately documented?
- If we’re a data processor, have we updated our contracts with the relevant controllers to ensure they include the mandatory provisions set out in Art. 28 of the GDPR?
- In cases where our third party vendors are processing personal data on our behalf, have we ensured our contracts with them have been updated to include those same processor requirements under the GDPR?
Reviewing these 22 questions will give you a good idea of what else is required to help you meet the GDPR regulations and decide what is necessary to protect your client's data.
What happens if a Breach Occurs?
The GDPR requires that a breach must be reported within 72 hours. Non compliance of GDPR the potential penalties for falling foul of GDPR are going to be severe. Depending on the type of violation, companies will incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater). These big penalties show that the regulators mean business and companies cannot afford to ignore the legislation.
The Three Key Areas of the GDPR
We saw that there are three key areas that will affect businesses.
- Business will need to treat people's attention with respect.
- Business's must be transparent.
- The GDPR raises the bar for everyone.
Anything that gives more power to consumers and makes marketers get better is to be welcomed.
Data breaches are taking a toll on customer loyalty. Data breaches are happening on a daily basis. Consumers are growing wary of both the attitude and practices those organizations take in order to do so.
We don’t see that as a bad outcome marketers will be forced to up their game and become more creative if they want to succeed.
Companies that put their own needs ahead of consumers and indulged in shady or outbound tactics are in for a shock. Their world is going to change dramatically as the GDPR will hasten the demise of marketing tactics like buying lists, cold emailing and spam.
Have Questions? Want to share your thoughts? Leave a comment below.