You’ve probably seen a flurry of privacy policy updates, email permission requests and announcement about compliance with Europe’s General Data Protection Regulation, or GDPR for short. If you run an online business and are still wondering what all the fuss is about, it’s high time to educate yourself — or pay the price.
Even if you’re not based in Europe, if you gather personally identifying information from leads, customers or subscribers who live in Europe, you need to comply. It may be as simple as complying with your country’s data protection laws (if they measure up to EU standards). Or it may require you to review your data security practices and implement some new practices and technologies.
What is GDPR?
Europe’s GDPR is a data protection and privacy regulation created to harmonize data protection laws across Europe. It gives EU citizens and residents control over how their personal data is collected, used and shared.
GDPR came into force on May 25, 2016. Since this date, organizations collect data from EU residents are required to update their privacy policies and change the way they collect, store and share personally identifiable information.
GDPR applies to all organizations that do business in the EU. It requires organizations to:
- Export data only to countries that have adequate personal data protection
- Build data protection by default into any data processing technology
- Anonymise stored personal data so it does not personally identify users
- Use the highest possible privacy settings
- Ask for informed consent before processing personal data
- Have explicit consent from individuals to share or make data accessible
- Disclose how they’re using data and if it’s being shared outside the EU
- Provide a copy of individuals’ collected data on request
- Have a data protection officer on staff if they collect personal data
- Report a data breach within 72 hours if it threatens user privacy
Why was there a push for GDPR by regulators?
The EU’s data protection laws have consistently been among the best in the world. As technology and the way we use it has changed rapidly (and will continue to change in ways we can’t imagine) EU regulators realized it was time to upgrade the previous regulation — 1995’s Data Protection Directive — to encompass current and future technologies and practices. The EU adopted GDPR in 2016 and made it applicable to all organizations that do business with EU residents on May 25, 2018.
What does it mean to obtain explicit consent to collect and store data?
Regardless of where your business is located, organizations are required to honour data protection regulations that apply in the countries where your customers or subscribers live.
For example, if your company is based in the United States and you gather even the smallest amount of data from EU residents, GDPR requires you to follow specific rules for obtaining consent to collect, store and share their data.
Key to this process is ensuring you have explicit consent — the data holder must carry out an action out an action that indicates specific, informed and unambiguous agreement to have their personal data processed. If you haven’t obtained consent, you will need to ask for it retroactively. And you must be able to demonstrate that an individual has given their consent, if asked.
How do you obtain explicit consent from customers or subscribers?
- Explain clearly why you are collecting personal information and what you will do with it.
- Identify your organization by name, and identify any third parties who will also be accessing this data.
- Provide an unticked box or a field where people can type and submit their email address.
- Be granular. Allow people to opt into different types of lists so they know exactly what they are signing up for.
- Use double opt-in for obtaining consent to add someone to your email lists: send subscribers an opt-in email with a link that enables them to confirm their subscription.
- Make it easy, and clearly explain how someone can withdraw consent or remove themselves from your database.
What happens if you don’t comply with GDPR?
Non-compliance can result in some hefty fines. Companies that don’t respect some articles of GDPR can be fined as much as 20 million Euros, or four percent of the previous year’s global revenue (whichever is higher). Other infringements can cost up to 10 million Euros, or two percent of global revenue. You get the picture.
But the other risk of not complying involves the security of your data. GDPR was created to protect consumers, but it also exists to ensure that data remains secure from increasingly sophisticated breaches. Being hacked and having your data stolen and exposed is a considerably more expensive situation — both in terms of the risk to your customers and business and the damage to your brand.
Getting started: follow a GDPR compliance checklist
Depending on where you’re at today with your data protection policies, getting started with GDPR compliance can be a daunting task. Begin by reviewing your country’s data protection laws, and how they sync with GDPR. Then audit your current technology and business practices. It helps to follow a GDPR compliance checklist such as The GDPR Compliance Checklist. From here, you’ll be able to see where you are at today, and where you need to go before assigning tasks to the right people in your organization.