Have you heard of GDPR? Do you know whether or not it affects your company or how to become GDPR compliant? Here is some information about the regulation.
What is GDPR?
As explained by ITPro Portal, the European Union’s General Data Protection Regulation (GDPR) went into effect in May of this year. It clarifies what rights European citizens have regarding the data that companies are collecting from them and regulates how that data is being collected, stored, and processed. The rule not only applies to European companies, but also to companies who do business with citizens within the European Union.
An article from Fortune states that, under GDPR, companies must allow customers to see and delete the data that has been collected on them; provide notice of data breaches within 72 hours; make data policies accessible and transparent to the average person; hire a data protection officer; and follow “privacy by design” principles — meaning that the company must embed GDPR in all of the phases of its design.
The data that falls under GDPR includes personally identifying information such as name, ID number, location, and online identifiers such as email addresses. Additionally the regulation also includes data that identifies a person’s characteristics or preferences, such as ethnicity, political views, sexual orientation, and criminal or health records.
Forbes noted that any business with a web presence or who markets their products online could potentially be impacted. GDPR doesn’t just apply to monetary transactions. If you collect data on someone from the EU, you’re in the regulatory bubble. For example, if a U.S. based company is looking to run a campaign in France and is collecting email addresses of French citizens, it needs to understand GDPR and, at the very least, notify those individuals of what it plans to do with the email addresses. If a vendor sells a product or service to a resident of the EU, it will need to obtain explicit permission, written in clear language, on each type of processing done with this data.
The Consequences of Non-Compliance
As the Fortune article noted, the penalties of not complying with GDPR are steep. Regulators can fine violating companies the higher of 4 percent of their global revenue or 20 million euros. A report from The Verge explained that, for the purpose of perspective, a 4 percent fine against Amazon would equal $7 billion.
However, according to The Verge, proving that a company is compliant will be a time-consuming situation. If an EU customer submits a data subject request, the company has 30 days to respond. If they do not respond, then the customer must file this request with a regulator.
Managing Compliance
ITPro warns that companies should be careful when using algorithms. GDPR prohibits the use of data collected through automated systems to be analyzed and used as the basis of decisions that have legal implications, unless the person you have collected the data on is fully aware of its intended use and has granted permission.
According to an additional article from Forbes, companies should also take these steps to ensure that their data is GDPR compliant:
- Create a game plan that involves and includes every department and builds compliance into your design
- Audit your current list and cleanse data
- Simplify your data privacy policy so anyone can understand it
- Make sure consumers are aware of their privacy rights
- Let your customers know that you are GDPR compliant
- Make sure you have tools in place to obtain user consent for the data you collect.
Further Suggestions
ZDNet also has some suggestions for maintaining GDPR compliance, including creating a preference center where users can indicate their preferred communication preference and opt in or out of subscriptions or notification emails. Each subscription or opt in option should include explicit details as to the frequency of the subscription and what will be received.
ZDNet encourages companies to also build into their game plan a policy as to how they will deal with a data breach, should one occur. This policy should include informing and training all employees, publishing as much information about the breach as possible and as soon as possible, and providing customers with information about how to file a complaint, get assistance, or reach the customer service department in the event of a breach.
Learn more about M1 Data & Analytics.
Topics: Data Compliance
