With less than two weeks remaining until the General Data Protection Regulation (GDPR) begins to roll out, most companies are still in the dark regarding what it is, how it affects them, and what they need to do in order to comply with the new regulations. In short, the GDPR helps European citizens to have more control over the data they share, how it is used, for how long it is stored, and when this data can be erased from the servers of the company that is using it.
The problem with GDPR is, though it is well-intentioned, it is already raising enforcement and compliance issues, even in Europe. Many sources even in the European Union are not sure how they are going to enforce the new regulations across the world, for European individuals share their information with practically the whole world.
While Google and Facebook seem to have worked with their lawyers to make themselves GDPR-compliant, smaller companies and agencies may have a harder time understanding the finer points of the new regulations and making changes to their business structures that will help them comply with the European regulations.
Let us take a look at what GDPR is, and how it might affect your business in the short and long terms.
What is GDPR?
When companies began to collect data voluntarily or involuntarily during the beginning of the digital age, they did not expect that there would be so many threats to the data, and privacy issues concerning customers and clients. The fears ranged from identity theft to data breaches, and simply, misuse of personal information. All these fears culminated in the launch of GDPR within the European Union. We must remember that the European Union is the most progressive political unit today, and most governments follow the regulations out in place by the EU, sooner or later. So, if a version GDPR is coming to the US or even China, be warned.
Responding to these fears, GDPR aims to safeguard the data shared by consumers, and hold the right to permit its use, its deletion, or its restriction. Let us take a look at what the GDPR entails:
- The new law requires companies to be transparent about how they use the data, and all this needs to be mentioned clearly without using jargon or legalese.
- Explicit permission needs to be sought each time information is collected or used later on.
- Customers have the right to be informed of how their data will be used. Customers also have the right to access their own data, rectify it, erase it, restrict its processing and the right to object from the data being used at all.
- Customers have the right to data portability and to object to automated decision making and profiling, something that most marketers depend on for their survival.
- All data should be voluntarily shared.
- People have a right to know how the data will be used, and with whom it will be shared in future.
- Your terms and conditions regarding how data will be used should be written in common man’s language, and should not be binding, there should be an option to reject sharing data.
- Data breach notifications should be sent out within 72 hours to the individuals, and also to the Data Protection Officer or Authority, depending on how serious the breach is.
- Collecting data related to minors (defined as those below the age of 16) needs parental permission.
How is GDPR going to affect your business?
If you run a business, chances are, you will already need to become compliant with GDPR even if you do not have actual customers or clients in the European Union nations. This is because, you cannot stop people from the European Union from visiting your website, purchasing products from it, etc. If you have a B2B business things get murkier. Your contractors, your clients, or a business that you engage with may interact with European Union individuals, necessitating GDPR compliance. Businesses of all kinds and types will need to ensure that their websites and data strategy is GDPR compliant. Let us take a look at how it affects B2B and B2C establishments.
If you are a B2B business
Most businesses that engage in some form of outsourcing or external partnership will be affected by GDPR. Data that is shared by the primary client will be processed and used by an external provider or an outsourcing agency. If you are such an agency, you too will need to comply with GDPR. Speaking to a lawyer who is well versed in drafting a GDPR policy specific to your company is helpful, so is learning what other external vendors are planning to do in order to comply with GDPR. Data that is outsourced needs to be handled with utmost care and confidentiality and will need to be destroyed once the project is completed. Everyone involved in the project may come be liable to prosecution if explicit permissions aren’t sought.
Additionally, the kind of data that a client may share with an agency may also come under GDPR regulations, For example, if a company decides to get branded stationary, all the letterheads, business cards and envelopes will contain personal information such as email addresses, telephone numbers, etc. This data will need to be protected by the design agency or their external partners. The data will also need to be destroyed once the project is completed. In this case, the design agency should explicitly state that the data will be destroyed once the project is completed, and that it will be shared only with those who are working on the project.
If you are a B2C business
Companies that directly deal with individuals, such as e-commerce stores, have a lot more at stake with the new GDPR regulations. Even collecting web traffic-related information may prove to be a legal risk, if we looked at the GDPR document closely. Web traffic, cookie, cached data, or anything that stores information about the visitor’s location, demographics, IP address, etc. will need explicit permission before being stored or used. Much of this information is used for enhancing user experience on websites and for tailoring recommendations, but permissions will need to be sought.
If you have an e-commerce store, you are probably already using customer details and web traffic information to understand your target audience better. You may use this data for lead nurturing, or for selling or recommending related products. With the GDPR layout, you will need to seek the permission of your customers before you can process their personal information this way. Pop-up boxes that seek permission, with an option to opt-out of sharing, and a link to a page that describes how personal information will be used in layman’s language are all requirements of the new GDPR rollout.
What you can do to become GDPR compliant quickly
It may seem baffling and confusing when you need to change the way you do your business on such a short notice. Yet, you might be surprised to learn that you may already be compliant with GDPR, except for a few changes that you may need to make. No matter what your situation is, begin with these steps:
- Audit your website, and learn how you are collecting information and data.
- Delete old data that is not required, and begin to organize useful structured and unstructured data.
- Invest in data analysis tools so that you can process data quickly and derive insights.
- Anonymize and encrypt all forms of personal data.
- Do not share the data you collect with third parties, without seeking explicit permission.
- Respect your customers and clients, and their right to privacy.
- On every website or property that you own, seek permission to use data explicitly, in unambiguous language.
- Provide the link to a page that describes how you use personal data, and how customers can opt-out of sharing their information. This page should be written in a very simple language and should not consist of jargons or legalese.
- Invest in a little web designing so that you can quickly get pop-up boxes and privacy usage details published so that customers can choose between sharing or not sharing their personal information.
GDPR compliance may actually help you scale
As you can see, the GDPR rollout may seem like an intimidating and ominous development. It doesn’t have to be. Now might be the right time to get rid of all the unwanted data you have, and bring structure to your data management practices. Ensure that you compile data with permission and use this for analytics. In fact, being compliant with GDPR will earn you accolades with customers and clients, and you will appear more trustworthy and credible. Most importantly, you will avoid costly lawsuits and fines. Finally, you will begin to clean up your data-closet, and ensure that all the insights you derive are useful, legal, and not a burden to either your company or a threat to your customers or clients.