A big change in how digital businesses collect and handle customer data is quietly approaching. And if you sell goods or services online, there’s an excellent probability you’ll be affected by it.
I’m talking about the European Union’s General Data Protection Regulation (GDPR), which was passed on May 25, 2016. We’re currently in the middle of a two-year grace period between the GDPR‘s passage and its enforcement by authorities on May 16, 2018.
Despite the impending deadline, the GDPR has flown under the radar of many businesses. This is understandable, particularly for firms based outside of the EU. But before long, most online businesses will need to reckon with the law. Let’s explore the challenges – and opportunities – it presents.
First things first. What the heck is GDPR? It is the set of rules governing personal data across all 28 EU member nations.
For the purposes of the GDPR, “personal data” refers to any piece of online or offline data that can identify a person, indirectly or directly. Such data can include a person‘s name, email address, IP address, contact details, geographic location, or even posts on social media accounts.
A definition so broad will force businesses to treat even the most innocuous personal data with almost the same gravity they currently reserve for highly sensitive details like payment info and medical history.
To ensure compliance, the GDPR’s regulations will be enforced by hefty fines. Under the GDPR, the maximum fine for non-compliance has ballooned to 20 million EUR or 4% of annual revenue, whichever sum is greater. All the more reason to pay attention…
Must your business comply with GDPR? EU-based firms are almost certainly subject to its regulations. But for businesses operating outside the EU, the answer might come as a surprise.
In contrast to earlier laws, the GDPR applies to all processing of personal data from subjects in the European Union, regardless of whether or not the processing actually takes place within the EU or whether payment is exchanged or required.
With the enforcement of GDPR, businesses with no physical presence in the EU are now technically subject to EU regulation if they serve EU citizens. In addition to firms offering goods and services, this also applies to all companies engaging in behavioral monitoring of EU citizens, i.e., profiling site visitors for marketing purposes. This broader territorial scope, coupled with the GDPR’s aggressive penalties for non-compliance, should incite more businesses to pay attention to it.
The GDPR and the readjustments it brings did not arise out of thin air.
Technology moves fast. And the last EU-wide data protection law was written 22 years ago, in 1995. At the blink-and-you’ll-miss-it pace of the Internet, this is eons ago. It follows that the EU would want to update its policies to reflect the realities of technology today.
Beyond staying up to date, the EU also desires to create the digital equivalent of its borderless single market. By drafting one set of laws to dictate data use and collection across the entire EU, it hopes to eliminate online barriers and help businesses build data processes that are universally compliant.
Lastly, to protect citizens, the European Commission seeks to standardize and codify European norms governing data use. By extending the law’s territorial scope beyond the EU’s borders, the European Commission is probably also hoping to influence the way other nations treat customer data.
What It Means for You
So what does all this actually mean for your business? The overarching mandate of GDPR is putting ownership of personal data firmly in the hands of the consumers to whom it belongs. To remain in compliance with GDPR, businesses may need to alter their collection, storage and portability of this data.
Here are some of the most important highlights:
- Privacy by Design and by Default: Instead of consent by default, the preferred mode of many digital businesses, any data collection activity (web forms, marketing profiling, etc.) must be designed according to the principle of data minimization and should ask the user to explicitly opt-in. Any such data gathering activity must include clear, intelligible language explaining its exact purpose and legal basis.
- Stricter Documentation and Accountability: In addition to gathering explicit consent for data collection, businesses must also keep dated records that this permission was requested and granted, as well as documentation of the activity’s legal basis. The same applies when processing data for other legitimate purposes. If a data subject claims that your business gathered their data without consent, the onus is on you to prove that consent was granted or that another legitimate purpose exists.
- Right to Data Portability: Consumers must be able to easily gather their data from a provider and transfer this information to another vendor. This means you’ll need processes in place to accommodate such requests.
- Notification: Firms must have a plan in place to notify data subjects and the relevant authorities of a data breach in a timely fashion, which typically means no later than 72 hours after the breach was discovered.
These are just the tip of the iceberg: GDPR is comprised of a whole slew of specific rules and regulations – 99 articles over 88 pages, to be exact. Feeling adventurous? You can read the whole thing here.
Taken together, GDPR will augur a drastic rethinking of how affected businesses use and process customer data. To maintain compliance, businesses will need to undergo a period of reflection on and auditing of their current data practices. This means answering many key questions, including:
- What types of data am I collecting from current and prospective customers and employees?
- Do I need all of the data I’m collecting? Could I prove my justification if compelled to?
- Which persons or departments in my organization own responsible and compliant stewardship of data?
- How long do I need to store the data I collect?
This is no trivial exercise.
Consumers are more aware than ever of how their data is being collected and used. It’s likely that the firms that prioritize transparency and responsiveness will be more trusted than their peers. And in today’s brutally competitive marketplace for digital goods and services, a little bit of trust can become a competitive advantage.
As we approach the advent of the GDPR, savvy businesses should view it as a chance to reevaluate their attitudes and practices around customer data. And since there’s a high likelihood that the GDPR will affect most firms, why not play it safe and shoot from the outset?
For more on compliance around the world, check out our ebook 3 Compliance Risks for Global Subscriptions.
Vincent Schwarz is the Compliance Manager and Data Protection Officer at cleverbridge.