By: Act! Blog | 11/23/2017
May 25 2018 will mark a major divide in how businesses handle user data. This is because on this day, a new data protection bill, namely EU’s General Data Protection Regulation (GDPR), will take full effect. And while it may seem like just another legal formality, believe us when we tell you that it is anything but. GDPR will, without any hint of hyperbole, completely change the way businesses manipulate customer information. Moreover, businesses established outside of Europe shouldn’t let the letters ‘EU’ preceding the bill fool them into thinking that it won’t have an effect on them. GDPR will apply to all those companies who conduct their business with European citizens.
It doesn’t take much to notice that the digital marketing circles of the internet are abuzz over this new regulation. It should come as quite a surprise then, that by the end of 2018, when GDPR will be in full force, more than 50% of global organisations are estimated to be non-compliant with GDPR. With only months left in welcoming GDPR, it is high time for businesses to take preparatory measures for its inevitable arrival.
GDPR is a new piece of legislation introduced by the European Union. The bill, which is aimed at giving European citizens more control over how companies use their private data, will take effect from May 25, 2018. It is a stricter version of existing data protection laws in the EU, and will apply to any business that has European citizens as its customers. The bill will also be effective in the UK till it remains a member state of the EU, while plans of restructuring the UK’s existing data protection policies in line with GDPR have already begun.
GDPR has a widened the definition of personal data. Under this regulation, personal data is information that relates to an identified or identifiable living individual. In addition to the usual suspects (name, picture, email address, contact number), GDPR also includes examples of other ‘identifiers’, for example location data, identification number and online information such as an individual’s computer IP address and cookies stored on a device. Learn more about GDPR and how it impacts your business.
On face value, GDPR sounds like a headache for the IT team. But business processes such as marketing and sales are not insulated from its effects either. In fact, you might have to overhaul some of your most staple sales practices to be compliant with GDPR.
Businesses cannot collect an individual’s data without their consent. This means that adding an individual’s information into your system via their business card is prohibited, unless you can demonstrate that they have consented to it. This also applies to data acquired by a third-party; if you have an individual’s personal data, by whatever means, you are responsible for demonstrating their consent.
GDPR does not only apply to data collected after May 2018, rather it applies to all data accumulated over the years. This means that you cannot use an individual’s data if they ask you to halt data processing, regardless of when that data was acquired. This rule also extends to data deletion.
Reverse IP tracking is another business practice that is sure to be affected under GDPR. In the bill, IP addresses are explicitly mentioned as forms of data protected under GDPR. This means that you can’t store an individual’s IP address, unless of course, you have their consent.
Finally, GDPR also protects customers from reactivation programs. These are programs that are aimed at bringing inactive customers back into the fold. Under GDPR, customers who have been dormant have to be re-informed, and have to opt in again, in order for their inclusion in such programs.
At this point, we hope that the article so far has provided enough motivation for you to tweak your business in line with GDPR. If not, the EU’s fines for non-compliance of either 4% of the business’ annual global revenue or 20 million euros (whichever is larger) should give you an extra bit of push.
To help you get started, we have outlined 5 steps you can take to make your business GDPR-compliant:
Now is the time to track all of your data-driven activities. You need to document where the data came from, how it is used and who can access the data within the organisation. You should start by identifying all the data that falls under the GDPR’s definition of personal data. The EU has done you a favor in defining personal data in such clear terms; use this to your advantage. Once you have sorted out which data is actually relevant to GDPR, you can make future decisions much more efficiently.
After mapping your data, you should move on to assessing the true worth of the data that your company has stored over the years. GDPR encourages companies to adopt data minimisation – letting go of data that is not vital to business processes. This decreases your chances of finding yourself at an undesirable position later. A good start would be to look for older data, and determine how useful has it been over the years. You can then move on to more recent data. Often times, businesses find it hard to let go of customer data, thinking that it may come of use sometime later. Don’t fall into this trap; you need to clean as much clutter from your drives as possible. The leaner your data store is, the better, both in light of GDPR, and also as a general business rule.
As stated earlier, businesses would have to seek explicit consent from the individual in order to use/store their data. This means altering your existing data collection practices in order to conform to this provision. Start by thinking about ways of acquiring the customer’s consent, developing modes of data transference to another service and having processes in place if the customer asks for their data to be erased. You also need to give your documentation a second look, striving to make it compliant with GDPR. Pay special attention to your ‘Terms and Conditions’ and privacy statements, as they would almost certainly require revisions.
One of the underlying principles that the GDPR embodies is what the EU calls ‘Privacy by Design’. It means that businesses should treat user data security as a priority measure. Businesses, are therefore, advised to design their practices and processes with data protection in mind. In other words, businesses have to be cognizant of data privacy from the moment new data enters the system to the moment when it leaves it. Keeping this in mind, your business, particularly the IT department, needs to implement security measures to safeguard user data. Also, be wary of how any third-parties you’re involved with handles data privacy, as any failure on their part will also put you at risk.
Finally, make sure to look for expert assistance while preparing for a post-GDPR world. Actually, this might not be optional. As per the formal requirements of GDPR, companies employing more than 250 employees are obligated to have a Data Protection Officer (DPO). A DPO would make sure that all your business practices are GDPR-compliant, saving you a ton of potential costs in fines, at the expense of a fraction of the price. The officer will also be responsible for installing data safeguards into your system, to guarantee secure handling of data. Under Article 30 of GDPR, most businesses with less than 250 employees are exempt from the DPO requirement, with the exception of those that regularly deal with private data.
May 2018 might seem like a long way off, but it is always better to start sooner rather than later. Most businesses are complacent in their preparation for GDPR’s imminent arrival. In other words, you can look at GDPR as a business opportunity to get a leg up over your competitors, not to mention winning over your customers’ trust by ensuring data privacy and transparency. It is true that GDPR presents new challenges to businesses worldwide. But, instead of flinching at the thought of this new regulation, embrace it and prepare for it. Who knows? It may be a blessing in disguise for your business.
To learn more about GDPR and for useful resources such as articles, guides, and training sessions, please check our GDPR Compliance page.