What Is GDPR?
GDPR is a brand-new EU regulation, which is coming into force this year. GDPR stands for General Data Protection Regulation—so you can guess that it’s a law which relates to how businesses collect, store and use their customers’ personal data. It will come into force in May 2018, so now is the time to get compliant, before it’s too late. So let’s take a look at exactly what GDPR changes!
What Does GDPR Change?
GDPR introduces a number of new rights for citizens of the European Union. Specifically, it gives them the right to tell a business what to do with their data, in a way not dissimilar to how enrolment with the TPS (Telephone Preference Service) gives people the right to ask for their records to be removed from a call centre’s telephone database. Under GDPR, European citizens have the right to access and correct or demand the deletion of their personal data from a business’ records, no matter which industry your business is a part of.
GDPR also changes the way that businesses go about asking for their customers’ consent to collect, process or sell their data. To be specific, it requires that you ask for a customer’s ‘explicit consent’ in order to process their data in certain ways. Explicit consent, as defined by GDPR itself, is:
...Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
As it happens, this isn’t a million miles away from the regulations we already have in place. However, GDPR sets some new guidelines with regards to how businesses obtain consent and process data. For instance, all businesses have to store data securely-- any data breach must be reported to a local authority within 72 hours, or the organisation in question could face a significant fine. This is a reaction to breaches such as those that hit Uber, and were covered up; had GDPR already been in force, Uber could have been fined up to €20m.
GPDR necessitates greater safeguards against breaches like these through increased day-by-day security. Under GDPR, your business will have to:
- Encrypt everything whether the data is being used or not
- Put greater security in place with regards to who is allowed to access data, and track who accesses data and when using an audit log
- Ensure that any data used by development teams cannot be traced back to individuals
These few changes make it obvious why businesses worldwide are spending billions on GDPR compliance.
Who Might Be Affected?
Any business that needs personal data for marketing or direct sales will be particularly affected by these changes. That being said, GDPR affects practically every kind of business, including every single one that needs to collect and store customer data. The good news is that GDPR won’t require you to ask for ‘fresh’ consent from each and every one of the data subjects in your database, provided that their data was obtained in a way that meets GDPR standard -in other words, meeting the threshold of ‘explicit consent’ above and the guidelines in the final section below. Let's face it - if you are collecting email addresses without concent, it's also likeley to be a bbig tell-tale cause of a shrinking subscriber list because no one likes to be just added to a list.
More widely, any business that collects personal data for whatever reason—like an online marketplace that needs names and addresses to make deliveries, or a software developer that requires users to sign up and provide details before allowing access to their product—will have to review their data collection and processing policies.
GDPR also introduces a penalty for non-compliance which is more than just a slap on the wrist. If you breach GDPR, the maximum penalty that you can be fined is 4% of annual global turnover up to a maximum of €20m. The penalties are tiered. You will be subject to the maximum 4% fine for serious infringement, such as not seeking customer consent for what you want to use their data for. Conversely, you will be subject to a 2% fine for not having your records in order, or for failing to correctly report a data breach.
How will Brexit affect GDPR?
As we mentioned above, you don’t have to operate in the European Union to fall under GDPR. If in any way you process the data of individuals within the EU, or sell to individuals within the EU, then the way that you collect and use their data must be GDPR compliant. Regardless, the UK government has indicated that their post-Brexit implementation of certain EU laws will include GDPR or an equivalent of it. So, post-Brexit—or no matter what happens with regards to politics—if you do business in the EU or with EU citizens, you’ll have to be compliant.
How Should I Prepare For GDPR?
- Granular: the data subject has to be given a variety of choices with regards to their data, each of which is clearly explained
- Unbundled: the data subject withholding their consent to your use of their data cannot serve as a reason for you to deny them other parts of the service that your business offers (unless your service is dependent on the use of their data)
- Documented: your business must keep records of what exactly the data subject has and has not consented to, as well as how exactly and when exactly they consented
- Specific: consent cannot be generic. When asking for a data subject’s consent, you must ask for their consent with regard to specific processing operations
- Open to withdrawal: data subjects must be able to withdraw their consent at any time, should they so wish
Naturally, this is just a brief overview of what you may or may not need to change. GDPR might mean that you have to make wholesale changes to how your business operates, or you might not have to change a thing. If you’d like to know more about the specific changes you should put in place to make your website GDPR compliant, look out for the Part 2 of this series coming soon.