Helping your business comply with GDPR

GDPR stands for General Data Protection Regulation, which is the privacy regulation in force across the European Union (EU) beginning May 25, 2018. The GDPR lays down new principles – and reinforces existing ones – for the protection of personal data of EU citizens. EU organizations and those which process personal data of EU citizens will have to comply with the GDPR.

The GDPR is effective starting May 25, 2018. In most of the EU it replaces the previous legislation which was put in place at the end of the 1990s.

The GDPR is applicable to any company, non-profit, government agency or other organzation that is either based in the EU or processes the personal information of EU citizens. This means that GDPR knows no geographical bounds and even though it’s enforced by EU based institutions, companies from all over the world are affected.

Brexit – the UK leaving the EU – is set to happen on March 29, 2019 which is around 10 months after GDPR comes into force. This means that UK companies can’t rely on Brexit saving them from the need to be GDPR-compliant. Moreover, in 2018 the relevant UK government agencies indicated they expect to maintain privacy laws at least as strong as GDPR.

GDPR affects all businesses that deal with the data of EU citizens, regardless of the number of employees or turnover of the organization. Small businesses will have to comply with new regulations – for example regarding the manner in which individuals can consent to their data being processed, their right to have their data erased, data portability, data governance responsibilities and notification requirements if data breaches occur. Small businesses in the EU should take guidance from the relevant regulatory agency (for example the Information Commissioner in the UK, CNIL in France) and appropriately experienced legal adviser.

GDPR requires that organizations handle personal data in certain ways. Organizations which have implemented a CRM system can harness it to enable (and require) users to handle that data in compliance with the GDPR. Our detailed guide which you can find here explains how.

There are a number of ways in which GDPR will impact marketers, but perhaps the most important is that the regulation reinforces the need for marketers to use people’s information only if they have a lawful basis to do so. While most marketers will have heard about having consent, there are five other bases on which an organization can rely to process personal data. Of these, there are three which are most relevant to small businesses: to perform or enter into a contract, to fulfill a legal obligation, or where it is in the legitimate interests of the small business, unless there is a good reason to protect the individual’s interests which is more important than the legitimate interests of the business.