by Ruby Henley
Companies tell you that they collect this type of information so that they can serve you better, offer you more targeted and relevant communications, all to provide you with a better customer experience.
But, is that what they really use the data for?
This is the question that has been asked and answered by the EU, and why in May 2018 a new European privacy regulation called GDPR will be enforced and permanently change the way you collect, store and use customer data.
In a study of more than 800 IT and business professionals that are responsible for data privacy at companies with European customers, Dell and Dimension Research found that 80% of businesses know few details or nothing about GDPR.
But, perhaps worst of all is that 97% of companies don’t have a plan in place for when GDPR kicks off in 2018 (Tweet this!).
Under the GDPR, individuals have:
- The right to access –this means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
- The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
- The right to data portability – Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
- The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
- The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
- The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
- The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
- The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
The GDPR is the EU’s way of giving individuals, prospects, customers, contractors and employees more power over their data and less power to the organizations that collect and use such data for monetary gain.
The Business Implications of GDPR –
This new data protection regulation puts the consumer in the driver’s seat, and the task of complying with this regulation falls upon businesses and organizations.
In short, the GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Even non-EU established organizations will be subject to GDPR. If your business offers goods and/ or services to citizens in the EU, then it’s subject to GDPR.
All organizations and companies that work with personal data should appoint a data protection officer or data controller who is in charge of GDPR compliance.
There are tough penalties for those companies and organizations who don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.
Many people might think that the GDPR is just an IT issue, but that is the furthest from the truth. It has broad-sweeping implications for the whole company, including the way companies handle marketing and sales activities.
The Impact of GDPR on Customer Engagement –
The conditions for obtaining consent are stricter under GDPR requirements as the individual must have the right to withdraw consent at any time and there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities.
This means you have to be able to prove that the individual agreed to a certain action, to receive a newsletter for instance. It is not allowed to assume or add a disclaimer, and providing an opt-out option is not enough.
This changes a lot of things for companies such as the way your sales teams prospect or the way that marketing activities are managed. Companies will have to review business processes, applications and forms to be compliant with double opt-in rules and email marketing best practices. In order to sign up for communications, prospects will have to fill out a form or tick a box and then confirm it was their actions in a further email.
Organizations must prove that consent was given in a case where an individual objects to receiving the communication. This means that any data held, must have an audit trail that is time stamped and reporting information that details what the contact opted into and how.
If you purchase marketing lists, you are still responsible for getting the proper consent information, even if a vendor or outsourced partner was responsible for gathering the data.
In the B2B world, sales people meet potential customers at a trade show, they exchange business cards, and when they come back to the office, they add the contacts to the company’s mailing list. In 2018, this will not be possible anymore. Companies will have to look at new ways of collecting customer information.
Initial preparations for May 2018 –
A key component of the GDPR legislation is privacy by design.
Privacy by design requires that all departments in a company look closely at their data and how they handle it. There are many things a company will have to do in order to be compliant with GDPR. Here are just a few first steps to help get your started.
- Map your company’s data
Map where all of the personal data in your entire business comes from and document what you do with the data. Identify where the data resides, who can access it and if there are any risks to the data. This is not only important for GDPR, but will help improve Customer Relationship Management.
- Determine what data you need to keep
3) Don’t keep more information than necessary and remove any data that isn’t used. If your business collects a lot of data without any real benefit, you won’t be able to do this in a GDPR world. GDPR will encourage a more disciplined treatment of personal data.
4) In the clean-up process, ask yourself:
Why exactly are we archiving this data instead of just erasing it?
Why are we saving all this data?
What are we trying to achieve by collecting all these categories of personal information?
Is the financial gain of deleting this information greater than encrypting it?
- Put security measures in place
Develop and implement safeguards throughout your infrastructure to help contain any data breaches. This means putting security measures in place to guard against data breaches, and taking quick action to notify individuals and authorities in the event a breach does occur.
Make sure to check with your suppliers also. Outsourcing doesn’t exempt you from being liable. You need to make sure that they have the right security measures in place also.
6.Review your documentation
Under GDPR, individuals have to explicitly consent to the acquisition and processing of their data. Pre-checked boxes and implied consent will not be acceptable anymore. You will have to review all of your privacy statements and disclosures and adjust them where needed.
7.Establish procedures for handling personal data
As we mentioned earlier, individuals have 8 basic rights under GDPR.
8) You will need to establish policies and procedures for how you will handle each of these situations.
- How can individuals give consent in a legal manner?
- What is the process if an individual wants his data to be deleted?
- How will you ensure that it is done across all platforms and that it really is deleted?
- If an individual wants his data to be transferred, how will you do it?
- How will you confirm that the person who requested to have his data transferred is the person he says he is?
- What is the communication plan in case of a data breach?
Data is a valuable currency in this new world.
And while GDPR does create challenges and pain for us as businesses, it also creates opportunity.
Companies who show they value an individual’s privacy (beyond mere legal compliance), who are transparent about how the data is used, who design and implement new and improved ways of managing customer data throughout its life cycle build deeper trust and retain more loyal customers.
The May 2018 deadline may seem a long way off at the moment, but before you know it, a year will have passed. If you haven’t already started your journey, we urge you to start now.
Dedicate time to understand what you need to do in order to become compliant and use the practical tips shared in this article to help you get started. Then, create a plan of action for your journey to GDPR so that when May 2018 rolls along you’re calm and relaxed and you can answer all your customers’ questions regarding compliance.
How will GDPR impact your business?
And what are you doing right now in order to be GDPR compliant by May 25th, 2018?
How does GDPR affect US based companies and websites –
Under Article 3 of the GDPR, your company is subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed. This is the case where the processing relates to the offering of good or services or the monitoring of behavior that takes place in the EU. Thus, the GDPR can apply even if no financial transaction occurs.
- For example, if your organization is a US company with an Internet presence, selling or marketing products over the Web, or even merely offering a marketing survey globally, you may be subject to the GDPR.
- That said, general global marketing does not usually apply.
- If you use Google Adwords and a French resident stumbles upon your webpage, the GDPR likely would not apply to the company solely on that basis.
- If, however, your website pursues EU residents – accepts the currency of an EU country, has a domain suffix for an EU country, offers shipping services to an EU country, provides translation in the language of an EU country, or markets in the language of an EU country, the GDPR will apply to your company.
- Likewise, if your company is engaged in monitoring the behavior of EU residents (e.g. tracking and collecting information about EU users to predict their online behavior), the GDPR likely will apply to your company.
US-based companies with no physical presence in the EU, but in industries such as e-commerce, logistics, software services, travel and hospitality with business in the EU should already be in the process of ensuring GDPR compliance. However, all US-based companies, especially those with a strong Internet presence, should assess whether their business activity falls within the territorial scope of the GDPR.
What Happens If You Are Not In Compliance –
The GDPR imposes significant fines for companies that fail to comply. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year, can reach up to 4% or €20 million (whichever is greater) for non-compliance with the GDPR, and 2% or €10 million (whichever is greater) for less important infringements.
So, for example, if a company fails to report a breach to a data regulator within 72 hours, as required under Article 33 of the GDPR, it could pay a fine of the greater of 2% of its global revenue or €10 million.
A report by Gartner predicted that more than 50% of companies within the scope of the GDPR will not be compliant by the end of 2018.
Considering that one of the main objectives of the GDPR was to expand the territorial scope, companies based outside the EU should not be surprised to find that THEY ARE PARTICULAR TARGETS OF DATA REGULATORS.
Who has to comply –
- If your company does business with residents of the EU – whether or not they are paying customers and whether or not they are citizens of an EU country – or collects or processes the personal information of EU residents or even just tracks their web-browsing habits with cookies
What happens if you fail to comply –
- The Regulation lays out maximum penalties, which differ depending on the type of offense. It also provides that all penalties are to be “effective, proportionate to the offense, and dissuasive.”
WHAT DOES THAT MEAN?
In some circles, a state of fear has been created around the GDPR. Headlines in the tech and business press scream dire warnings that the deadline is coming at us like a freight train, with the implication that if an organization isn’t in absolute, one hundred percent compliance at the stroke of midnight on May 25 of next year, it will face apocalyptic consequences.
It’s in the interests of journalists to over-sensationalize the possible penalties in order to draw in more readers, and it’s in the interests of the many companies that are selling GDPR compliance solutions to overstate the ramifications in order to sign up more customers.
WHAT IS THE REAL STORY –
To be sure, the GDPR – like all governmental acts that regulate business – is a serious matter and shouldn’t be ignored. One of the significant differences between the Directive and the GDPR is that the latter greatly increases the maximum fine amount – up to €20,000,000 (which, at the current exchange rate at the time of this writing, is equal to $23,881,000 USD) or up to four percent of the company’s annual “global turnover” for the preceding year, whichever is greater.
“Global turnover” refers to total revenues, net of taxes. For a corporate giant such as Apple, Amazon, Microsoft, Google, Samsung, or Exxon Mobil with annual revenues in the billions, that four percent represents a tremendous amount of money. Many companies don’t make enough money for the four percent to apply, and especially -the amount of fine – if any – that is actually imposed will be dependent on a number of different factors. Article 83 of the GDPR addresses in detail the conditions for imposing administrative fines, and specifically names factors that are to be taken into consideration:
- nature, gravity, and duration of the violation,
- the categories of personal data that are affected,
- previous violations,
- intent or negligence,
- actual harm done and efforts to mitigate the damage to data subjects,
- degree of responsibility of the controller or processor, certifications and adherence to codes of conduct,
- reporting of the violation, and cooperation (or lack thereof) with authorities.
In addition, the €20,000,000 maximum applies to the higher of two tiers of violations, which includes more serious offenses,
- such as those pertaining to the rules for obtaining consent,
- data subjects’ rights,
- rules governing data transfer,
- obligations to member states,
- and violation of an order.
The lower tier of violations has a maximum fine limit that’s half that of the upper tier: €10,000,000 or two percent of annual turnover. Some violations that fall into this category include:
- Notification of a data breach to the data subject whose personal data was impacted,
- Notification of a data breach to the supervisory authority,
- Failure to properly designate a data protection officer (when required)
- Certain conditions surrounding obtaining a child’s consent
INTERESTING NOTES –
- Denmark and Estonia are different in regard to the penalties. Their own national laws don’t permit them to impose the administrative fines prescribed by the GDPR but fines can be imposed through their court systems.
- Given all this, it’s by no means certain that your organization will be hit with a huge fine if it doesn’t manage to comply with every single aspect of the Regulation by May 25, particularly if you can show that you’ve made a good faith effort to do so and the violation hasn’t caused harm to someone.
- Article 58 provides for the issuance of warnings and reprimands in addition to or instead of the imposition of fines.
- You could also have your certification withdrawn, or be ordered to take a action to carry out one or more of the obligations under the Regulation.
Who decides what (if anything) you’ll pay –
- Fines are assessed by supervisory authorities, or Data Protection Authorities (DPAs). These are the entities appointed to implement and enforce the European privacy laws in each member nation.
- This is not new with the GDPR; the Directive that came before it addressed the appointment, responsibilities, jurisdiction of DPAs, providing that each DPA enforces data protection law at the national level and is also tasked with providing organizations with guidance regarding how the privacy laws are to be interpreted.
- The roles and responsibilities are generally the same after the replacement of the Directive with the GDPR. Article 51 of the GDPR requires that “each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation.”
- Both the Directive and the Regulation require that the persons acting as DPA must have the skills and experience necessary to perform the role and be subject to a duty of professional secrecy. The GDPR adds that each DPA must be created through a transparent procedure, although such procedure isn’t described. DPAs have a great deal of power in enforcing the GDPR. They are authorized to hear claims brought by data subjects, investigate alleged violations of the GDPR and to institute legal proceedings against violators. They are required to keep records and publish reports of their activities and enforcement actions. DPAs operate independently, but they also work together, with the head of one supervisory authority per member state making up the European Data Protection Board (EDPB). The primary task of the Board is to ensure consistent application of the Regulation across the EU states. Chapter 7 (Articles 60-76) is all about cooperation and consistency and this is where the Board’s responsibilities are defined.
Because each nation has its own DPA, this can complicate matters if your organization processes personal data across multiple EU countries. You would generally only deal with a DPA if your organization has been reported to have engaged in a serious violation of the privacy law. In that case, your legal representatives should have experience in EU privacy law in general, the GDPR in particular, and dealing with DPAs.
If the GDPR applies to your organization – and it probably does if you collect any sort of information about anyone who resides anywhere within the EU – you can’t afford to ignore it. Hefty fines, while not automatic, are a possible consequence. But don’t panic; the GDPR isn’t quite as scary as you might have thought. Its purpose is to protect the privacy of personal data, not to hand out harsh punishment to companies that are making an honest effort to comply.
EXPECT LAWSUITS –
Here we are. Wow, what a fun thinking about all these years of debates with fb representatives telling me ‘consumers don’t want privacy rights anymore’ and ‘a startup (sic) like facebook shouldn’t be overburdened’. 😘 #GDPR #dataprotection #privacy t.co/gowYVvKjJf
— Jan Philipp Albrecht (@JanAlbrecht) April 15, 2018
Facebook says users must accept targeted ads even under new EU law: NO THEY MUST NOT, there are other types of advertising, subscription etc. t.co/zrUgsgxtwo
— Mireille Hildebrandt (@mireillemoret) April 18, 2018
“Yes, they will be taken to court”
“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment,” runs one key portion of GDPR.
Now compare that with: “People can choose to not be on Facebook if they want” — which was Facebook’s deputy chief privacy officer, Rob Sherman’s, paper-thin defense to reporters for the lack of an overall opt out for users to its targeted advertising.
Data protection experts who TechCrunch spoke to suggest Facebook is failing to comply with, not just the spirit, but the letter of the law here. Some were exceeding blunt on this point.
“I am less impressed,” said law professor Mireille Hildebrandt discussing how Facebook is railroading users into consenting to its targeted advertising. “It seems they have announced that they will still require consent for targeted advertising and refuse the service if one does not agree. This violates [GDPR] art. 7.4 jo recital 43. So, yes, they will be taken to court.”