The topic of GDPR has been gaining steam in recent months as the implementation deadline nears, but alarmingly, only 14% of companies are said to be prepared for these huge new regulations. If you’re part of the majority that still isn’t quite sure what GDPR is or how to make sure your business is compliant, keep reading – you only have until May 25th to get compliant!
What is GDPR and its requirements?
Here’s a little background to help you understand how GDPR came to be. Back in 2012, the lawmakers in the European Union began to realize that the digital economy was going to need some bigger regulation rules in order to “give citizens back control over their personal data, and to simplify the regulatory environment for business.”
With that goal in mind, the EU’s executive body debated for three years about the details of what became known as the General Data Protection Regulation, or GDPR. The massive law is now set to go into effect on May 25, 2018 – meaning companies around the world are racing to make sure they’re in compliance with the strict legislation before it’s too late.
What are the exact requirements of GDPR?
To put it simply: If companies want to comply with GDPR, they’ll have to handle their consumer data with extreme care, providing clients and consumers with a variety of ways to control, monitor and delete their personal information.
- Under GDPR, every individual now has:
- The right to access their personal data and how it’s used, if they desire that information.
- The right to be forgotten – At any time, individuals can withdraw their consent from a company to use their personal data, and request that their data be deleted.
- The right to data portability – Individuals have a right at any time to transfer their data from one service provider to another, and companies must comply.
- The right to be informed – Individuals now must opt-in to share their data with companies, and give free consent versus implied consent. Companies must be able to prove that they offered consumers the choice to opt-in.
- The right to restrict processing – Individuals can request that companies not use their data for processing. While companies can still keep their data, they wouldn’t be able to use it.
- The right to object – This means that individuals can stop the processing of their data for direct marketing, and companies must comply as soon as the request comes in. Companies must also make this “right to object” clear to their consumers at the beginning of any communication efforts.
- The right to be notified of data breaches – Companies must notify individuals within 72 hours of becoming aware of any data breach that could compromise their personal data.
Will GDPR affect my business directly?
Chances are, yes. Although the law was created by the EU to benefit EU citizens, it has far-reaching effects due to the internet – which is why so many American-based companies, large and small, are doing everything they can to make sure they’re in compliance, too. Any company that has a website with form submissions for anyone to fill out is affected, because anyone from the EU could fill out those forms – even in the U.S.
Companies worldwide must comply if they have:
- A presence in an EU country.
- No presence in the EU, but process personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees, but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
So, yes – pretty much every company in the world will need to comply.
Does GDPR affect my third-party and/or client contracts?
Yes. The GDPR names two parties responsible for data: data controllers, the organization that owns the data; and data processors, any third-party that helps manage your data. Under GDPR, if a data processor is not in compliance – it means you’re not in compliance. Equal liability lies with both parties, which means third parties must also prove where data comes from and that their collection of data is compliant with GDPR. To do this, your business will need to create extremely clear contracts with third parties to define the responsibilities when it comes to managing personal data under GDPR.
Who is responsible for ensuring my company is compliant with GDPR?
Many larger companies are actually hiring specifically for roles to ensure they’re always in compliance with GDPR, including data controllers, data processors, and “data protection officers (DPO).” Smaller companies without the resources to hire someone for a DPO role will need to ensure someone on staff is responsible for managing compliance with GDPR at all times.
Worst case scenario, what happens if my company doesn’t comply with GDPR?
Here, you’ll find out exactly why so many companies are doing everything they can to comply. When it comes to punishment for GDPR non-compliance, the EU is not messing around.
Any company that breaches GDPR laws will face:
- A fine of up to 4% of annual global turnover, or €20 million euros – whichever is bigger, for more serious violations
- A tiered system of fines, with a lower level of penalties of up to 2% of global turnover, or €10M
With those kinds of numbers, it’s clear why companies should be taking every precaution possible to avoid breaching any GDPR rule.
How can marketers ensure they’re compliant?
For obvious reasons, many marketers aren’t exactly thrilled about GDPR requirements. And while it can seem daunting to comply and still generate new leads, marketers can still achieve lead generation in this new landscape!
As long as marketers strive for transparency, ensure they collect data for specific and legitimate purposes, are clear and direct with data subjects, and keep their databases clean, they can still thrive under GDPR.
Additional Resources:
- https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
- https://martechtoday.com/guide/gdpr-the-general-data-protection-regulation
- https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html
- https://techcrunch.com/2018/01/20/wtf-is-gdpr/