What is GDPR, and How Does It Impact You as Costumer and as Business? - Part 1
Do you remember back in 1995 when cookies were just that delicious biscuits we eat while drinking milk or tea? It was also when the EU come up with the old data protection rules, where each member state, based on its law, determined its rules. Since then, we have upped our game, and the way we use the Internet has completely changed. We share information on e-mails, login to different websites, send money, pay bills, shop for everything and anything. All without thinking about the amount of personal data we share, how many people hold this data, and what they do with it.
Privacy is long discussed in Europe, and it is a right granted in 1950 with the European Convention on Human Rights. The EU came up with the GDPR in 2016 to make sure your data is safe and private, and the company is using it to the purpose it fits. And create a better customer experience is no longer an excuse to keep personal information.
Now that I got you thinking about cybersecurity and data safety, what if companies were hacked and your information is out there? Well, now companies that do business with European clients have rules to follow in that case too. Data privacy and security are the key expressions when more people trust their data to cloud services, and breaches occur daily.
It does not matter if you are a family business or a company with 1k employees sitting outside Europe. If you do business (selling goods or services or storing personal information) with European citizens (EU and EEA), you must comply with the new privacy and security law.
This post will help you as a person to understand your rights. For companies, it will help you to know what you need to do. If you are behind and still unsure if you are compliant with those rules, we advise you to seek legal advice. The deadline to have your business adapted to GDPR rules was the 25th of May, 2018, and you are already over two years late. The penalties are very high, up to 20 million Euros or 4% of annual global revenue, whichever is higher. And data subjects also have the right to seek compensation for damages.
The regulation without the accompanying directives has 88 pages, but we tried to make it as short and straightforward as possible. This post will be divided into two parts, the first one will explain the GDPR, and the second will give tips on how to comply.
GDPR concepts
Many aspects of our lives involve data, from social media to banks, retailers, and government organizations, almost every service collects, analyzes personal data, and even stores it sometimes. But what precisely is personal data?
Personal data involves names, e-mail addresses, location information, ethnicity, gender, biometric data, religious beliefs, political opinions, web cookies, pseudonyms, and updates on social media, without distinguishing individuals in their private, public, or work roles.
The act of collecting, recording, organizing, structuring, storing, using, and erasing data is called data processing. Customers or website visitors are the data subject. Business owners or any employee who handles the data are the data collector. Those who can choose cloud service, e-mail providers, and process the data are the data processors, and there are special rules for them. In other words, a data controller is an individual or organization responsible for deciding the purposes and means of personal data processing. And data processor is the individual or organization that processes personal data on behalf of the controller.
Organizations need to ensure that personal data was legally obtained and under strict conditions. Those who collect and manage the data must protect it from misuse and exploitation, respecting the data owners’ rights.
GDPR protection and accountability principles
If you process data, you need to do it according to 7 protection and accountability principles, and you should also consider it when developing a new product or activity. Privacy and data protection by design require that all the company departments look closely at their data and how they handle it.
Lawfulness, fairness, and transparency: Determines the lawful basis for your data processing, document it, and notify the data subject. And if you decide later to change your justification, you need a good reason, document it, and inform the data subject.
Purpose limitation: You must process the data for the legitimate purposes specified when you collected it.
Data minimization: You should only collect and process the essential data for the purposes specified.
Accuracy: You must keep personal data accurate and up to date.
Storage limitation: You may only store personal identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality: You must ensure data security, for example, by using encryption or anonymize collected data to protect privacy, and safely handle the transfer of data across borders.
Accountability: The data controller is responsible for demonstrating GDPR compliance with all these principles. If you can’t show that you are compliant, then you aren’t.
Customer privacy rights
It aims to give individuals more control over the data they loan to an organization.
When can you process data?
You can process data when you have the subject’s specific and unambiguous consent.
When processing is necessary to execute, prepare, or enter a contract to which data subject is a party.
You must process it to comply with a legal obligation.
You need to process the data to save somebody’s life.
Processing is necessary to perform a task in the public interest or carry out some official function, such as a private garbage collection company.
You have a legitimate interest to process someone’s data. However, the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.
If there is a real reason to process the data, then it can be done. Where the reason ends, the processing should cease too.
How can it impact your business?
The GDPR is not a job only for your IT. It will make you review different steps in your company, even the way you prospect clients, and how marketing activities are managed. Companies have had to review business processes, applications, and forms to be compliant with double opt-in rules and e-mail marketing best practices.
Individuals need to consent to the acquisition and processing of their data explicitly. You must prove that the individual agreed to a specific action to receive a newsletter, for instance. It is not allowed to assume or add a disclaimer, and providing opt-out options or pre-checked boxes are not enough. Prospects will have to fill out a form or tick a box and then confirm their actions in a further e-mail to sign up for communication. You will need to review all your privacy statements and disclosures and adjust them where needed.
For customers, among other things, it can mean no more annoying newsletters, at least not without specific consent.
The European Commission claims that one single supervisor authority for the EU will make it easier and cheaper for businesses to operate within the region and hope it can benefit businesses.
GDPR compliance will improve your business by strengthening consumer confidence, enable efficiencies in how organizations manage and secure data. It is not only crucial for GDPR, but it will also improve customer relationship management.
Follow us on Linkedin, Twitter, or Facebook to get our updates, including the second part of this post.
This article was written by Juliane Verissímo - Marketing Department of VisionSpace.