What You Need to Know About the General Data Protection Regulation
Does your company sell products or services to customers in the European Union? If it does, your compliance challenges are about to increase. Starting in May 2018, the EU General Data Protection Regulation will govern the things that your company must do to ensure the safety of your customers’ private data. The GDPR applies regardless of your company’s location, and failure to comply can subject you to a hefty fine of €20 million or 4 percent of your company’s yearly earnings.
Even if your company doesn’t sell to customers in the EU yet, you may still need to make changes to comply with the new regulation if you use software such as an advanced analytics platform to track user behavior on your website. The regulation may also apply if your company maintains a mailing list with members who live in the EU.
Does your company save any data that could potentially identify an individual person? If you store the email addresses, mailing address, phone numbers, photos, credit card details or communication records of customers, prospects or users, it’s likely that the new EU regulations will apply to you.
Will the New EU Data Protection Regulations Apply to My Company?
If any of the qualifications above fit your company, it’s likely that the new data protection regulations will apply to you. Your company does not need to have a minimum size for the regulations to apply. The regulations also apply to nonprofit organizations. If you would like your company to continue selling to customers in the EU — and do not want to stop collecting website usage statistics and other data from people in the EU — you’ll need to comply with the regulations by May 2018.
What Are the Requirements of the General Data Protection Regulation?
Appoint a Data Protection Officer
Under certain circumstances, the regulation requires companies to appoint data protection officers. This requirement only applies to your company if one of your primary activities is the collection, monitoring, and processing of a “large amount” of customer data. Some have criticized this aspect of the regulation because it isn’t clear about what constitutes a “large amount” of data. In addition, the regulation leaves room for EU member states to add further requirements. Small companies may find it difficult to remain abreast of member states’ additions. However, the requirement to appoint a Data Protection Officer should not apply to most small businesses.
Report Data Breaches Promptly
If your company suffers a data breach affecting EU citizens, you’ll need to report the breach to EU authorities as quickly as possible. If a criminal could potentially use the stolen data to cause harm to EU citizens, you’ll also need to inform those individuals. If you’ve used encryption to make the stolen data unreadable, you can forgo informing individual customers and make a public announcement of the breach instead. The intention of the reporting requirement is to ensure that those whose personal data has been stolen can take action to defend themselves before a criminal has an opportunity to use the data to commit a harmful act.
Get Consent When Collecting Data
Perform Data Protection Impact Assessments
Does your company use a new and unproven technology for data analysis? Do you use collected data to profile your customers? If you can answer “yes” to either of those questions, your company may engage in data processing that could potentially inhibit the rights and freedoms of your customers. The new EU data protection regulation requires your company to conduct a Data Protection Impact Assessment. If you determine through the DPIA that your activities could present a significant risk to your customers, you’ll need to inform EU authorities before moving forward with the project.
Let Customers Control Their Data
The new data protection regulation grants significant powers to customers in terms of how they can control the usage of their private information. Some of the things that you’ll need to do to give customers all of the rights outlined in the GDPR include:
- Grant privacy by default. If your website collects and shares data about customers, you’ll need to ensure that your customers have given consent before you begin collecting that data. Until you have customers’ consent, you’ll have to keep their data private.
- State your data collection purpose. Your customers must give their informed consent to data collection, which means that you’ll need to tell them why you’re collecting data and what you intend to do with that data. If you want to do something else with the data that you’ve already collected, you’ll need to obtain consent again. The consent applies only to the data collection purpose that you originally state.
- Limit transfers of data to other entities. The new EU data protection regulation imposes limitations on the transfer of personal data to entities outside the EU. If you intend to transfer customer data to a third party, you may need to obtain permission from your customers and from EU authorities.
- Heed regulations for data processors. If your company is a processor of data rather than a collector, you’ll have additional burdens such as the need to maintain an audit trail for each data transfer.
- Tell customers what you know about them. Under the new regulation, EU citizens will have the right to know what information companies are collecting about them. Under normal circumstances, your company will have 30 days to respond to any request from a customer asking what information you possess about that person and how you’re using it. In some cases, though, it may be possible for your company to extend that deadline to a maximum of 90 days. In addition, your organization will have the right to bill the administrative costs of data lookups to the customers who request them.
- Exercise care when dealing with minors. Under the new regulation, only EU citizens aged 16 and older can give consent to data collection. The regulation allows EU member states to lower the age requirement to 13 if they wish.
- Allow customers to change their minds. Even if an EU citizen has given your company permission to collect, process and share data, that person still has the right to change his or her mind. If a customer requests that you delete his or her data, you’ll need to honor the request.
How Can My Company Get Help Complying With the General Data Protection Regulation?
If your company doesn’t have an existing data protection officer or compliance expert, the burden of complying with the new EU data protection regulation may be great. Some technology experts have predicted that many companies will have trouble finding experienced privacy experts in time for the May 2018 deadline for complying with the regulation.
Are you unsure of how the GDPR will apply to your business or how you will comply with it? Complying with the regulation may require significant changes to your website text, data processing software and internal business processes. Changing your website to comply with the regulation — especially if you do not want to disrupt the existing user experience for customers in other regions — will likely require custom coding. If your company’s in-house servers offer insufficient encryption and intrusion protection, you may need to move to a cloud-based infrastructure with stronger security.
Companies around the world face legal compliance issues every day, and upgrading the data protection that you offer your customers may require significant technical expertise. With the new EU data protection regulation, compliance is mandatory if you intend to continue selling products or services to EU citizens — and the price of failing to comply is higher than most companies can bear. Don’t leave anything to chance — contact TA Digital now to learn more about how we can help.
Explore Additional Resources
Learn more on how to select the Right CMS for your business and excel the Digital Experience.
GET HELP FROM OUR EXPERTS
Over the past 19 years, we have completed thousands of digital projects globally. We have one of the largest and deepest multi-solutions digital consulting teams in the world. Our proprietary processes and years of Digital Experience expertise have earned us a 97% customer satisfaction rating with our clients ranging from Global Fortune 1000 to Mid-Market Enterprises, leading educational institutions, and Non-Profits.
About TA Digital
TA Digital is the only global boutique agency that delivers the “best of both worlds” to clients seeking to achieve organizational success through digital transformation. Unlike smaller, regional agencies that lack the ability to scale or large organizations that succumb to a quantity-over-quality approach, we offer resource diversity while also providing meticulous attention to the details that enable strategic success.
Over the past 20 years, TA Digital has positioned clients to achieve digital maturity by focusing on data, customer-centricity and exponential return on investment; by melding exceptional user experience and data-driven methodologies with artificial intelligence and machine learning, we enable digital transformations that intelligently build upon the strategies we set into motion. We are known as a global leader that assists marketing and technology executives in understanding the digital ecosystem while identifying cultural and operational gaps within their business – ultimately ushering organizations toward a more mature model and profitable digital landscape.
Recognized in 2013, 2014, 2015, and 2019 Inc. 5000 list as one of the most successful technology companies in the United States, TA Digital is pleased also to share high-level strategic partnerships with world class digital experience platform companies like Adobe, SAP and Salesforce and possess global partnerships with industry leaders such as Sitecore, Episerver, Elastic Path, BigCommerce, AWS, Azure and Coveo.