13 May How GDPR Impacts You: What Do You Need To Know?
Is there anyone out there who is NOT confused by the European Union (EU) General Data Protection Regulation (GDPR)?
Many companies are not even thinking how GDPR affects their marketing – indirectly or directly/
I will try to write a plain-language overview of GDPR. How it may impact your data collection, and what you need to do to make sure you’re compliant before May 25, 2018.
What Is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) law taking effect on May 25, 2018.
GDPR is designed to give greater protection to an individual’s personal information and how it’s collected, stored, and used. There are strict requirements placed on companies that possess the personal data of people located in the EU.
After May 25, 2018, organizations that aren’t in compliance with GDPR’s requirements could face large fines (up to 4% of a company’s annual global turnover or €20 million), which vary based on the severity of the infraction. For very large enterprises that is massive risk but for a smaller company it may be a deadly blow.
When Does GDPR Apply?
It is important to keep in mind that a financial transaction isn’t necessary for the GDPR to apply. A non-EU-based business must comply with the GDPR if it collects or processes personal data of any EU resident (EU citizenship is not required).
Under GDPR, personal data is defined as information that can be used to identify someone, directly or indirectly. This includes IP address, cookies, location data, name, and email address. So far pretty clear and simple…if you can track me down by any criteria like this, it is personal data.
For some companies GDPR may require significant changes in how a company discloses and obtains consent to collect personal data.
If you’re collecting personal data from an EU resident, you must obtain explicit consent, which generally means that consent should be:
- Voluntary. Have the user take affirmative action.
- Specific and informed. Make sure people are aware of what you’re collecting, how it’s being used, and whom it may be shared with.
- Unambiguous. Don’t disguise with redirects to terms of service overflowing with legal jargon.
More specifically, for consent to meet GDPR standards, it must:
- Contain a clear statement of consent, using plain language that’s easy to understand (no legalese).
- Require a positive opt-in (i.e., no pre-ticked boxes, silence, or inaction).
- Be separate from any other terms and conditions.
- Explain why the entity wants the data and what it will do with the data.
- Name any third-party controllers that will rely on the consent.
- Explain how the data subject may withdraw consent.
- Avoid making consent a precondition of service.
When the processing of personal data has multiple purposes, individuals must be informed of each purpose and allowed to consent or decline each purpose separately. Additional requirements apply when obtaining consent from children. Entities must also keep records of consent obtained from data subjects.
Strict Privacy by Default
Strict privacy settings should be the default setting. A user shouldn’t have to go into their settings to make manual changes to opt into stricter settings.
Rights to Data
Under GDPR, individuals have greater control over how their personal information is collected, stored, and used. Individuals have a right to access their data, which means the right to know where, why, and how their data is processed. This includes the right to request a report to access their data. Additionally, individuals have a right to be forgotten, which means their data can be deleted.
Organizations have a duty to report certain types of data breaches to the relevant supervisory authority within 72 hours, unless the breach is harmless and poses no risk to the individual. If a breach is concluded to be high risk, the company must also inform the individuals impacted.
Appointment of Data Protection Officer
In some cases, companies must appoint a data protection officer. This is required when: 1) an entity regularly monitors sensitive personal information (e.g., race, genetic data, etc.), 2) an entity regularly monitors personal data on a large scale, or 3) is a public authority.
Information of Children
Under GDPR, a company may not collect personal data of anyone under 16 without parental consent. Implement a process to verify age and to obtain parental consent when necessary.
Takeaway: Under GDPR, companies must ensure that they have clear policies in place to maintain compliance.
DOES GDPR IMPACT NON-EU COMPANIES? (US, Australian etc)
I have heard many of our clients say the compliance is NOT necessary for companies outside of the EU. I have even seen this with companies who develop software and apps for other companies.
However, non-EU companies must comply with GDPR if:
1) they collect or process personal data of any EU resident, or
2) the company’s activities relate to offering goods or services to EU citizens, regardless of whether payment is required.
This compliance is mandated for any EU resident, regardless of EU citizenship. Simpky means that even an American citizen who’s only temporarily located in the EU is protected by GDPR.
Remember that a financial transaction isn’t necessary for the GDPR to apply. Any non-EU-based business must comply with the GDPR if it collects or processes personal data.
Takeaway: All companies must obtain explicit consent from the data subject, including non-EU companies. Being located outside of the EU doesn’t relieve a company of compliance.
DILOGR TEAM has worked really hard on this. We will be compliant in all areas that matter in our business. Will you?
Your business is responsible for its own compliance. Each individual organization needs to evaluate its data practices against the new regulations and ensure compliance. We want everyone in the DilogR customer and user base to transition into the post GDPR world as painlessly as possible.
HubSpot study also found that, if given the option, a majority of people would opt out of receiving phone calls and email from companies. A full 59% would take advantage of the ‘right to be forgotten’, and request that company completely delete their details and history from their databases. 55% would also opt out of having their personal data stored and would request to see all the information a company holds about them.
4% agree that companies should not contact them without their permission and 73% would opt out of all communications if they were given the option. Since the GPDR states that companies that market their products to, or monitor the behaviour of EU citizens need to be clear about how they use personal data and give consumers the option to opt out of marketing activities, businesses may need to brace themselves for an influx of consumer unsubscribes next year.
How will the data police know we’ve complied?
The question of how exactly GDPR will be enforced is still mostly unknown. Experts anticipate that you may be called upon to prove that you have complied.
To proactively prepare for that possibility, you should:
- Obtain (active) consent before collecting data on any person
- Maintain documentation of data processing activities
- Appoint a data protection officer (check on the rules if this applies in your case)
- Create & use data protection impact assessments
You can also check out the additional recommendations by the Information Commissioner of the United Kingdom.
Overall, take steps that you document and can show you are trying – the goal is not to punish smaller companies. The goal is to keep data secure and not spam people.
**Note that we are not giving any legal advice here, if you need legal advice, ask your lawyer.
The General Data Protection Regulation (GDPR) replaces the Data Protection Directive which has been law across the European Union for the past 20 years. Its mission is to harmonise the approach to data protection matters across Europe by establishing a single set of pan-European rules. To ensure that the protection of personal data remains a fundamental right for EU citizens the GDPR aims to modernise outdated privacy laws. PLease note that as of May 2018 The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection for international data transfers.
Adequacy talks are ongoing with Japan and South Kore
If you are our customer and need to make sure you have a DPA in place contact contact our support team if you have any concerns.