No matter where you are in the world, the new GDPR (General Data Protection Regulations) have been in the news a lot over the past few weeks, with businesses in the UK and Europe getting busy preparing themselves for the new regulations to come into effect.
Europe’s General Data Protection Regulation changes the way businesses deal with data. It came into effect on May 25, 201, and is the largest shake-up of data protection in Europe for two decades as it changes how you can use personal data.
"The GDPR rules will better protect businesses and organisations from data breaches." - Grant Harrison, Ashbourne
Check out this guide on GDPR to find out more about the specifics of the new regulations.
However, while it may seem like something that will have no effect on your business if you’re based in the U.S., the truth is you still need to ensure you are fully prepared.
Max Robinson from Fish Tank Bank, says: "We had to get rid of our entire email marketing list in the run up to GDPR, which obviously had a rather large impact on our overall revenue. Since then, we've been using more offline marketing tactics, like handing out leaflets and attending business meet ups. It's harder to measure the impact of this activity vs digital marketing, but at least we can feel comfortable that we're operating within the laws of GDPR."
Many businesses in the U.S. have no idea how the GDPR will affect them. Sage carried out a recently that found 91 percent of businesses in the U.S. are lacking awareness of the details. If you want to operate in any EU member state, or serve any individuals living in the EU (e.g. via a company website) your business needs to be compliant. If your website is available to people based in the EU, or if you collect data from people in the EU, you will be affected.
However, it isn't just the U.S. that will be affected by GDPR coming into force. Ahmed Khanji, Chief Executive Officer of Sydney based cyber security company, Gridware, says: "GDPR has caused many Australian businesses to rethink how they manage, use and store customer data. It's also highlighted many risk areas to organisations because they have had to undertake compliance audits of what information they collect and how they store it to even understand whether they are captured by the regulation and to what extent.
"I've seen scaling start-ups and e-commerce businesses that would have otherwise been happily ignorant of international laws and regulations have now had to engage lawyers to review how their apps or stores capture customer information. It hasn't just impacted large organisations but even small service providers that service EU customers have had to rewrite their privacy policies to comply with GDPR requirements."
Danielle Stein Fairhurst, Owner of Plum Solutions, adds: "I run an online business specialising in financial modelling training. People take my online courses from all over the world, and I have a large database that I market to. Even though it’s a small business, when GDPR came in, we used it as an opportunity to clean up our processes. Although it really only applied to subscribers in Europe, we figured it was best practice to apply the same practices for everyone because 1. You don’t know exactly where they are located, and 2. The privacy laws may apply to Australia and other regions before long, so it was easier just to make everyone compliant."
The deadline for being GDPR-compliant has now passed, so if you are not yet compliant, make this a priority.
● If you have online marketing forms or any interactions with EU individuals, make sure you get explicit consent from the consumer. You cannot pre-tick your checkboxes to sign up for your newsletter, for example.
● If you have EU-based individuals on your email list, make sure they consented to be on that list, preferably via a double opt-in. If you have any doubts over this, write to them asking them to confirm they want to be on your list.
● If customers want to withdraw their consent, you must make it easy for them to do so. You need to have a process in place for this so they can delete their record, and you must provide them with a copy.
● If you process data that relates to anyone 16 or under, you will require parental consent.
● Large companies might want to consider employing a Data Protection Officer.
● You will also be required to have policies in place for your data protection to show precisely how you process data.
● Let your customers know that you are taking all the necessary steps to comply with the GDPR.
● If you suffer a data breach and personal data is at risk, you must inform an EU regulator within 72 hours. You might also have to notify the subjects.
Additionally it is important to think about those that you work with. Micah Owens, SEO Specialist at Golden Spiral Marketing explains that "as an integrated marketing agency, we’ve not only had to adopt GDPR best practices, but work with our clients to do the same. That can mean updating privacy policies, notifying subscribers, asking users to opt-in on forms, cleaning email lists to get rid of unengaged subscribers, and more."
That explains just some of the steps companies must take to prepare.
Non-compliance could result in a large fine. This could reach up to 20 million euros (or 4 percent of your annual turnover,it depends which is largest). The EU authorities have the powers to impose these fines.
How will the EU enforce these in the United States? Questions remain, but you don’t want to risk it.
"The GDPR is now in force, and if you have not yet taken steps to ensure you are compliant, now is the time to make this a priority. Don’t risk a crippling fine. There’s a good chance you won’t have to make too many changes, but you do need to ensure you are compliant."
Ryan Susanna, VP of Sales and Marketing for LogiSense Corporation, who have produced a guide on the First Steps to Fulfil GDPR, concludes: "The new GDPR legislation may in fact call for a new position in every enterprise that's dedicated to their compliance with new data privacy and protection legislation. This is someone who reports directly to the body of leadership so that the organization can make informed decisions that reshape its own processes.
"Entire organizations should read about GDPR compliance, but it is critical that organizations distribute related literature to IT, security, and legal departments, as well as executive teams. A single Data Protection Officer might be able to do this at regional companies, but national and multinational organizations will require more than one person to disseminate knowledge efficiently."