The internet has dramatically changed the way we communicate and carry out everyday tasks.
We can pretty much do anything through the internet. Whether that be purchasing goods, sharing documents and communicating with people. To do this we share our personal details online without a second thought.
Maybe, take a minute to think about all the personal data you have shared online over the years and how that information may be used.
These personal details that we share are things like your IP address, home addresses, social media posts, and even banking information.
Most companies state the information you give them is to provide better customer service and send you marketing emails with special offers and updates. But is that really the case?
The EU asked the same question. What is this information really for? In May 2018 a new European privacy legislation (GDPR) was enforced. This has permanently changed the way you as a business collect, store and use client/customer data.
During a study of more than 800 IT and business professionals, that are responsible for data privacy at companies with European customers, Dell and Dimension Research found that 80% don’t know much about GDPR at all!
Recently, TrustArc found that only 20% of businesses are now GDPR compliant.
And that’s not all! Just over 1 in 4 companies (27%) have yet to make their organization GDPR compliant even though 25th May was the deadline.
When it comes to starting a new up a company and not being completely up-to-date with the IT side of the business, it’s expected that the business is still trying to improve their knowledge on GDPR and take a bit of time to be fully GDPR compliant but research from The Ponemon Institute found that 60% of tech companies weren’t fully GDPR complaint.
So even these “tech-savvy” businesses are behind on GDPR!
GDPR is important to companies in all sectors. Such as; tech, travel, business consultancy, and many others. So we’re going to discuss how it impacts your business and give you a few tips along the way.
What is GDPR?
On May 25, 2018, the new European privacy regulation came into effect.
Check out this short video by the Wallstreet Journal to learn more about how GDPR could affect your business:
GDPR stands for General Data Protection Regulation.
This regulation means that citizens of the EU and EEA have greater control over their personal data and this assures them that their information is being protected across Europe.
This regulation was put in place in all local privacy laws across the EU and EEA region. It applies to all businesses storing personal information about citizens in Europe, including companies in other continents too.
The 8 Basic Rights of GDPR
Under the GDPR, individuals have:
- The right to be forgotten – If consumers are no longer using your services or if they withdraw consent for a company to use their personal information, they have the right to have all their personal information deleted.
- The right to be informed – Individuals must be informed before any data is gathered. Consumers must opt-in for their data to be gathered and consent must be given rather than implied.
- The right to access – Individuals have the right to access their personal information and the right to ask how it is used by the company that has it. The company must provide a copy of the consumer’s personal data in electronic format, free of charge if this is requested.
- The right to have the information corrected – This ensures that individuals can have their data updated if it is out of date, incomplete or incorrect.
- The right to data portability – Individuals have the right to transfer their data from one service provider to another. This must happen in a commonly used and readable format.
- The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place but is not to be used.
- The right to be notified – If there has been a data breach that compromises an individual’s data, the individual has a right to be informed with 72hours of first having become aware of the breach.
- The right to object – This includes the right for the individuals to stop the processing of their data for direct marketing. Any processing must stop as soon as the request is received. In addition to this, this right must be made clear to individuals at the very start of any communication.
GDPR is the EU’S way of giving individuals protection, and more power over their data and less power to the organizers that collect the data.
How GDPR will affect your business
ALL businesses must comply with the GDPR regulation.
GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Non-EU established organizations will also be subject to GDPR. So, if your business offers goods and/or services to citizens in the EU, then it’s subject to GDPR.
Organizations and companies that work with any sort of personal data should appoint a data protection officer or data controller who oversees GDPR compliance.
Organizations that don’t comply with GDPR are looking at fines of up to 4% of annual global revenue or 20 million Euros.
For example, British Airways and Marriott International are facing massive fines that amount to hundreds of millions for failing to comply.
- British Airways are facing fines of up to €200 million for a data breach that occurred on September 2018
- Marriott International is expected to be fined in the region of €99 million for a data breach between 2014 and 2018
GDPR can have a heavy, negative impact on an entire company, including the way companies handle marketing and sales activities.
Preparations for GDPR-compliance
A key component of the GDPR legislation is privacy by design.
Privacy by design requires that all departments in a company look closely at their data and how they handle it. There are many aspects involved in being compliant with GDPR. Here are a couple of steps to get you started.
- Map your company’s data – All personal data you receive in your entire business should be mapped and you should document where you hold all this data. Scan out any risks, who can access the data and identify where the data resides. This will also help with customer relationship management.
- Determine what data you need to keep – There’s no need to keep more information than necessary. If you are collecting excess data with no real benefit, it is probably time to consider getting rid of what you don’t need and what is important to your business.
Put security measures in place – to help contain any data protection breaches, using security measures is your best bet. This means putting security measures in place to guard against data breaches and taking quick action to notify individuals and authorities in the event a breach does occur. Click here for an example of breach notifications.
You should consider having a template to send out when an issue occurs with GDPR. This will be a good place to start.
Click here for more information on security breaches.
Law firm EMW found that data breach complaints have increased by 160% since the GDPR came into effect.
You will need to establish procedures for handling personal data
As we mentioned earlier, individuals have 8 basic rights under GDPR.
So now we need to establish policies and procedures for how you will handle each of these situations.
Here are a few examples:
- What is the process if an individual wants his data to be deleted?
- If an individual wants his data to be transferred, how will you do it?
- What is the communication plan in case of a data breach?
- How can individuals give consent in a legal manner?
- What way can you confirm that the person who requested to have his data transferred is the person he says he is?
- How will you ensure that it is done across all platforms and that it really is deleted?
This comes with challenges but opportunities too. This was first announced in 2016 and it seemed like there is enough time for companies to take the necessary steps to prepare. Companies are still trying to sort their GDPR compliance even though the deadline has already passed.
If you have not started yet, we urge you to start now.
For more information on this click here
Click here to read our other blogs full of business tips.