What is GDPR and How Does It Impact Your Business?

« Blog

AN_SMB_Feat020

Back in 2016, a new data protection bill was introduced by the European Parliament. Called the European Union’s General Data Protection Regulation (GDPR), the bill is scheduled to be enforced from May 25 2018. Those aware of the bill’s stipulations are calling it the biggest game-changer in data handling practices prevalent in both major and minor businesses.

If you have no idea what the enforcement of GDPR entails for your business, don’t worry – you’re not alone. A recent Dell survey reported that around 80% of respondents had little to no knowledge of GDPR. Furthermore, a whopping 97% of companies did not have a formal plan to get prepared for GDPR. Fortunately for you, in this article, we will explain what GDPR is, and how would it impact your business.


What is GDPR?

After years of deliberation on a new data protection bill, the European Parliament passed GDPR in April 2016, to be effective from May 25, 2018. The goal of GDPR is to protect the data of European citizens, and give them complete autonomy over their digital information. Companies that store personal data of European residents fall under the umbrella of GDPR, including companies registered outside the continent. Even the UK, which opted out of the EU in 2016, has decided to overhaul its data protection policy in line with GDPR.

Being a formal legal document, GDPR has specified certain terms that are pertinent to the bill. Among these is ‘personal data’, which it describes as ‘any information related to a person or data subject, that can be used to directly or indirectly identify the person.’ This includes information about the person’s name, photograph, social media information, medical history, email address and even their computer’s IP address.

GDPR introduces the following rights customers have over their data:

  • Right to Access
    Customers have a right to obtain their data from the data controller (business). They also have a right to ask how their data is being used and where it resides. If a customer does invoke this right, the data controller would have to provide all his data, in electronic format, free of charge to him.
  • Right to be Forgotten
    The data subject (individual/customer) can also ask the data controller to delete all their personal data if they wish. In a case such as this, the data controller is obliged to erase all of the subject’s data, and halt third-parties from using the data.
  • Breach Notification
    In an event of a data breach, the relevant data subject has to be informed within 72 hours of first having become aware of the breach.
  • Data Portability
    Data subjects are also entitled to ask for their data to be transferred from one service to another. This is to be done in a machine-readable format that is commonly used.
  • Right to be informed
    Customers have to be informed whenever their data is to be collected/stored. Specifically, they have to manually opt in or agree to data collection, showing clear consent rather than mere implication of consent.
  • Right to information correction
    Individuals can ask for modification of their data if it is stored inaccurately.
  • Right to halt/restrict data processing
    Individuals can, at any point, withdraw their consent with respect to data processing. If this right is invoked, all processing of the individual’s data has to be halted right away. Note that this is different from the right to be forgotten.

Another important aspect of GDPR is that the regulation does not differentiate between personal data as it relates to private and work settings. This means that even if two individuals are sharing data on behalf of their businesses, as is the case in B2B communications, GDPR will treat both as individuals, not as representatives of business entities.

The European Union has put in place serious penalties for companies that fail to comply with GDPR. Guilty parties are set to be fined up to 4% of their annual global income, or 20 million euros (whichever is greater in any specific case). This should tell you that non-compliance with GDPR can entail horrible consequences for your business.

GDPR

Business Implications of GDPR: What does GDPR mean for businesses?

So, now that you know exactly what GDPR is, the next question should be: How would it impact my business? Well, in a post-GDPR world, the privacy and security of your customers’ personal data becomes more crucial than ever. For starters, you should really work on identifying those types of data that falls under the umbrella of GDPR. This means any data (IP addresses and mobile device identity included) that can be used to identify your customers. Data discovery, as one would call it, is key to getting a handle on many of the implications GDPR would have on your business. Thus, become extra vigilant in finding out which of your customers’ data on record can be used to identify them.

As far as small businesses go, Article 30 of GDPR explicitly states that the regulation only applies to firms having more than 250 employees. But before you breathe a sigh of relief, there is a caveat; if your business regularly makes use of people’s private data, you are very much bound by the provisions of GDPR. This means that you have to hire a Data Protection Officer (DPO), as per the requirements of GDPR for both large businesses (employees > 250) and smaller businesses frequently in touch with private data. A DPO will not only ensure that your business falls in line with GDPR prescriptions, but also provide expertise in how to handle and store data securely for the future.

Consent takes on a whole different meaning under GDPR. Individuals have to give explicit consent to businesses, which is to be achieved by opt-ins. This means that, while in the past, consent was implied by the individual not explicitly opting out, under GDPR you will have to demonstrate that the individual opted in to give consent. This will also apply retroactively – data that has been collected in the past (before GDPR) would be rendered unusable unless the user gives their consent. Therefore, you will have to incorporate mechanisms of gaining explicit consent of the customer in order to use their private data. You should also update your ‘Terms and Conditions’ accordingly.

Another important provision of GDPR that will have implications for your business is its new data breach reporting policy. Under the new regulation, any breach of the customer’s private information has to be reported to the national data protection authority, preferably within 24 hours and necessarily within 72 hours of first knowledge. So, you should have a system developed entirely for reporting instances of data breaches within due time.

Finally, speaking of data breaches, you will be well advised to take precautionary measures for preventing such instances to occur in the first place. This can be done through both, hiring a dedicated security officer, like the DPO discussed above, or encrypting all relevant user data before it is stored on your systems. A little goes a long way here; the benefits of having even a thin security layer on top of your data far outweigh the cost.


How will it affect marketing and sales activities?

By now, there should be little doubt that GDPR will have far-ranging implications. Some of these will also extend to how businesses handle sales and marketing. As GDPR pertains to digital consumer data, e-marketing, in particular, will be affected by this new set of regulations.

A core aspect of modern e-marketing is email marketing. And for good reason; a study reported that marketers can expect an average Return on Investment (ROI) of 119% for their email marketing campaigns. Businesses are not the only ones gushing over email marketing. Even customers have been shown to heavily favour receiving offers through email, with 77% citing email marketing as their preferred method of choice. But GDPR changes the ground rules for email marketing.

In light of the newly-found emphasis on customer consent, marketers are not allowed to send emails to potential customers if they show no interest in the product/service. This will not only affect your current mailing list, but also any mailing lists you wish to buy from third-parties. Speaking of which, any third-parties that provide you mailing lists should also show clear consent that the customers have agreed to receive marketing emails.

Additionally, you should make sure to put a system in place for storing the consent of customers when they do give it to your business. Ideally, you should have proof of consent for every customer currently associated with your business.

Last, but certainly not least, methods which will ensure that customers can ask for deletion of their personal data. This is a direct consequence of GDPR’s ‘right to forget’ provision. Your profiling methodologies also need to evolve accordingly.


Conclusion

As economies become increasingly reliant on data, so does the importance of keeping that data under protection. The EU’s GDPR is an attempt at doing just that; a regulation that guarantees that businesses are ever more careful with the private data of its customers. And while such legislature might impede the profitability of some businesses, the best ones will see it as an opportunity, and look to convert it into a competitive advantage.


To learn more about GDPR and for useful resources such as articles, guides, and training sessions, please check our GDPR Compliance page.