The GDPR (General Data Protection Regulation) has finally been passed by the EU parliament in April 2016 and it will become enforceable on the 25th of May, 2018.
That’s all well and good, but what is it and how is it going to affect how you do business?
What is GDPR?
The GDPR is a new legislation passed by the EU Parliament and replaces the Data Protection Directive of 1995 of EU, and national privacy protection acts (like e.g. Personuppgiftslagen, PUL, in Sweden). The purpose of this is to help synchronize varying data protection laws across Europe with the ultimate aim to protect the integrity of the individual, and provide a more competitive environment.
The hopes of doing this will allow EU citizens to have better control over their personal data and provide greater direction to organisations on how they can use that data.
This is a HUGE DEAL!
For an individual or if you are in a business where you want to compete with others who lock the data of their end-users in. However, it’s also becoming a board-level question as the level of risk for any company NOT complying with the new law will go up significantly: Infringement of the GDPR from May next year will set you back up to 4% of your annual global turnover or max €20 million euro’s. These are huge penalties for any organisation.
Does your organisation have a CRM?
Possibly, a database of customers that your sales team turn to everyday? A system of excel files where you store the same type of data?
If you do, then the passing of the GDPR is relevant to you, yes, you.
Do you use survey tools? An ERP-system? E-mail tools? Marketing Automation tools?
Yes, then it’s applicable to you, too.
So any non-compliance by your organisation needs to be fixed before the legislation kicks in. So how can you prepare for the GDPR? Well, first you actually have to know some background about what will be applicable to you:
Do you store data in the cloud?
This is what happens to Cross-Border Data Transfers
When the GDPR comes into place, cross-border data transfers will be permitted, however the country that the data is transferred to must be compliant with GDPR regulation. So for example if your data is stored in the USA or you are using an email marketing/survey/CRM/marketing automation system which host their data servers in the U.S. then your data will not “legally” be allowed to transfered to that country unless the cloud service you’re using is registered under a particular Privacy Shield framework.
Even when you are just crossing a border, even within EU, you are most likely submitting your data to the scrutiny of national and possibly other intelligence agencies, whether legally sanctioned as FRA of Sweden or FISA of the USA, or as simply run by most if not all national intelligence bodies.
This is making more organisations who store data in the cloud need to take action.
The Right to Know and Right to Be Forgotten
Under the GDPR, private individuals will now have the right to know the data stored about them, and they have the right to be forgotten by organisations. This means that people can not only request to be “unsubscribed” from your mailing list, they now have the right to be totally forgotten within your database (ie: deleted). If the reason for your collection of the data will have an end-date (such as it’s only applicable to store certain information during a campaign run under a particular time, or during the start-up of something), then all systems will need to have the possibility to auto-clear the data.
The Right to Port Data
A user will have the new right to port all data about him or her from one organisation to another. What does data porting mean? It means you could more easily transfer data including e.g. historical activity from Facebook to Google+, or from one electricity provider to another. The purpose is to make it easier to compete.
The need to report incidents
Previously, you could have a data-breach and even if you likely try to do all you can to remedy it, from the onset of the GDPR, you have the obligation to report it to your national Data Protection Authority within 72 hours.
The New One Stop Shop
The GDPR will now be the only place for businesses to turn to in regards to data. This hopefully will make things cheaper to work within the EU, as you will no longer need to comply with all 28 individual EU states.
As time marches on towards May 25th, 2018, it really is time to begin your organisational preparations towards becoming GDPR compliant. Whether that is changing the location of your database servers, ensuring you have email consent from your contact database, or building/increasing your contact database in preparation of the incoming legislation.
Over the next next few weeks we will be writing a lot on how you can best prepare your organisation for the GDPR, as it has to be both an opportunity, and an area of actions for you and your organisation, make sure you stay tuned!
Why not sign up for getting our action plan on GDPR for B2B companies here?