If there’s one thing that’s guaranteed to make marketers nervous, it’s ‘GDPR’. The announcement of the General Data Protection Regulation (GDPR) caused a huge stir, not just in Europe but across the world. Approved by the European Parliament in April 2016, GDPR introduced a number of major changes to how organizations are allowed to store and utilize customer data, with huge penalties looming over anyone who fails to take the new regulations seriously.
Under GDPR, citizens in the European Union have much greater control over their personal data. The new laws focus on privacy and consent, giving customers every right to know when and how their data is being used, and even when it has been compromised. These days, almost every service provider uses online data in one form or another, including banks, government agencies, retailers and employees, as well as online giants like Facebook and Google. Crucially, customers even have the ‘right to be forgotten’ and can withdraw consent to use their data at any time.
Most organizations rushed to become GDPR-ready by the point it came into effect in May 2018. Despite this, many failed to become GDPR-compliant by the deadline, risking serious fines as well as public scrutiny. Even now there are companies around the world which remain ignorant of GDPR. Sadly, it isn’t something that can just be waited out; even the UK government has clarified that its departure from the EU will not affect its commitment to the regulations.
So, what exactly is GDPR, and what do companies need to know? Following the regulations is a matter of both behavior and design; not only must businesses integrate data protection into any new technologies, products and services going forward, but they must also train staff to properly handle customer data. Many organizations are also required to hire ‘data protection officers’ (DPO), who can assess capabilities, highlight flaws and provide basic legal advice or knowledge to stress the importance of following the regulations.
Creating a GDPR checklist for yourself will certainly help things along, but GDPR-compliance will need to be treated as an ongoing obligation if you want to avoid the worst fines.
With that in mind, let’s take a look at exactly what you need to know about GDPR.
What is personal data?
The use of ‘personal data’ is the bread and butter of GDPR. The regulation’s own definition of personal data is ‘Any information relating to a living, identified or identifiable natural person.’
This can include:
- IP addresses
- Generic data
- Biometric data
Who do GDPR regulations apply to?
GDPR applies to all organizations which store or process data from citizens in the EU. However, this is not only relevant to companies based in EU member states; any company which has EU customers must comply with GDPR. As such, there are very few major corporations around the world which have not been affected by the regulation in some way.
Article 4 identifies two key roles in organizations subject to GDPR:
- Data controllers – Any person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing personal data.
- Data processors – Any person, public authority, agency or other bodies which processes personal data on behalf of a controller
There can be both controllers and processors involved in a service. For example, a high street retailer (controller) could have a customer provide information to open an account. The retailer would then pass the information to another company (processor) which would store, digitize and catalog it. Because both organizations would be subject to GDPR they would each need to take steps to become GDPR-compliant.
What does GDPR mean for companies?
While there are a number of valid economic arguments against GDPR, it is a sad fact that, in the past, many organizations have spectacularly failed to properly manage customer data. Whether as a result of hacker activity or incompetence, millions of people have had their data exposed over the years. This is hardly a harmless crime: many customers have even been the victims of identity theft as a result of poor information security.
Regardless of how companies may feel about GDPR, they should nonetheless familiarise themselves with the new rights enjoyed by customers:
- Information on data usage – Organizations must make clear when, why and for how long a customer’s data is being used, as well as who it will be shared with. They must also provide privacy information and give customers the option to opt out. This includes when stored data is being used for new purposes.
- Privacy information – Any information on data usage provided by organizations must be intelligible, transparent, concise and easily accessible. Using clear and plain language is essential. Organizations should also be prepared to regularly review and update their privacy policies when necessary
- Right to be forgotten – If customers no longer want to have their data processed, they can request to have it deleted. If there are no valid legal grounds for retaining said data, the organizations in question must oblige
- Right to know about data breaches – In the event of a data breach, an organization must notify the relevant national and supervisory authorities as soon as possible. In some cases, they may also be required to inform customers so that they can take action to protect themselves
GDPR and data breaches
When information is lost or stolen, hackers and criminals may use it to target customers. Under GDPR, organizations are required to take sufficient steps not only to ensure that information is protected but also to minimize the damage in the event of a breach.
In the event that an organization detects a ‘personal data breach’, it must inform the Information Commissioner’s Office (ICO). Not every breach will necessarily pose a risk, though every incident should be assessed by a certified data protection officer (DPO) to make absolutely sure.
When an organization detects a reportable data breach, it must report it within 72 hours, where feasible. Should the breach pose a high risk to individual rights and freedoms, the organization must also inform the individuals in question without delay. Such a breach could be one with the potential to lead to:
- Financial loss
- Loss of confidentiality
- Damage to reputation
- Any economic or social disadvantage
This will usually be done via a ‘breach notification’. This cannot be done via social media, company websites or press releases; customers must be informed via direct correspondence. The most typically used method is email correspondence.
Given the urgency required in the event of data breaches, it is crucial for organizations to set up reliable and robust breach detection capabilities, as well as succinct investigation and internal reporting procedures. Not only will this facilitate decision making about whether the ICO will need to be notified, but it will also streamline the delivery of breach notifications so that affected individuals can protect themselves.
GDPR fines and penalties
Organizations which fail to become GDPR-compliant can face significant penalties. Not only can they be subject to huge fines, but their public relations can also take a hit, potentially decreasing their client pool.
The penalty for a GDPR breach will depend on the severity of the case in question, as well whether the guilty party is deemed to have taken adequate measures to ensure security and compliance.
The maximum fine is €20 million or 4% of an organization’s annual global turnover, whichever is higher. This can be imposed for:
- Infringement on rights of data subjects
- Unauthorized international transfer of personal data
- Failing to put procedures in place
- Ignoring subject data access requests
There is also a lower (though by no means paltry) fine of €10 million or 2% of an organization’s annual global turnover, whichever is higher. This can be imposed for:
- Failing to report a data breach
- Failure to build in privacy by design/ apply data protection to the first stages of a project
- Failure to appoint a data protection officer (if required by law)
However, these are by no means the only criteria for GDPR penalties. It is crucial that organizations make themselves aware of exactly what is expected of them. Remember, in the event of a breach, being able to show that you have taken the correct steps to adhere to GDPR could save you a great deal of money and stress.
Appointing a data protection officer
A data protection officer (DPO) has the job of ensuring that an organization is fully GDPR-compliant. They will oversee an organization’s strategies, educate its staff and conduct security audits, while also serving as the main point of contact between the organization and the relevant supervisory authorities.
Hiring a DPO is not strictly mandatory, except for any organization which:
- Carries out large-scale processing of certain categories of data
- Carries out large-scale monitoring of individuals
- Is a public authority
While DPOs do not require specific qualifications, Article 37 of the regulation specifies that they must have ‘expert knowledge of data protection law and practices.’ It is also worth pointing out that a DPO’s expertise must cover the exact practices of their organization.
Even when this is not mandatory, appointing a data protection officer can make it much easier for an organization to remain GDPR-compliant. You should also keep in mind that failing to appoint a DPO when required can be considered non-compliance, which could result in serious financial penalties.
How to comply with GDPR
Sadly, due to the widely varying structures and goals of the organizations to which GDPR applies, there is no ‘one size fits all’ approach to becoming GDPR-compliant. Rather, organizations must assess their own requirements, find out what steps need to be taken and continually adhere to the regulations as part of an ongoing initiative.
A large part of this revolves around deciding who the relevant processors and controllers are, though companies should also consider:
- Personnel – Is your staff upskilled in the correct behavior to ensure GDPR compliance? For example, do they know how to locate and delete customer data?
- Systems – How does your organization process, store and utilize data? For example, you may need to reevaluate your storage structure to make it easier to find and delete data, while also taking adequate steps to upgrade your security
- Budget – Have you designated enough funding to ensure data security? You may also need to consider hiring a DPO. If this seems expensive, keep in mind the financial penalties for non-compliance