“What is GDPR?” is the most common question we’ve been getting in our inboxes over the past few months. To help more of our users and the email marketing community, here’s what constitutes GDPR compliance.
Privacy protection is garnering attention. In that light, the European Union, to protect EU-based users has passed a new framework to safeguard data and privacy for its citizens.
Evaluate your business today and hold on to your hard-earned data.
Effective May 25th, 2018, GDPR is a list of specifications on how businesses should process and handle personal data. In effect, this regulation is to ensure that private data is processed with transparency under the new law, for a clearly-stated purpose, with end-user’s consent. Once fulfilled, the data should be deleted, provided there are no legal-binding regulations in the country or business.
The GDPR allows users for more flexibility over what they have shared. Users have the right to access, modify, rectify, delete altogether their data, among other things. The regulation will also set the foundations for a uniform set of data protection policies throughout the European Union. In other words, where there used to be different sets of rules per country, now is . Dated as they were, this radical change in data protection rules was much needed.
Let’s review the facts in more detail:
GDPR: The game changer of data privacy
The new regulation has literally created demand for legal and technical experts, and is moving toward the creation of an entirely new job title (see Data Protection Officer (DPO). To help clarify the landscape for you, here’s a few basic facts you should be aware of:
What is GDPR?
GDPR is the recent regulation passed by the EU concerning the protection of personal data of customers residing in the EU. This is to replace the EU Data Protection Directive (95/46/EC), and take it up a notch, by adding extra requirements that all startups, B2B and B2C businesses alike, as well as charities must comply with.
What is GDPR about?
The mission of GDPR is to protect personal data and privacy, as well as security. Personal data refers but is not limited to details such as first and last name, email addresses, phone numbers, etc. At the same time, pseudonyms or other data that can be matched directly or indirectly to an individual or company are also considered personal data.
Controllers and processors
Data controllers cover the “how” and the “why” behind data processing, so it could be anything from a startup to a business to a charity. Data processors are those actually doing the processing (IT experts).
What does GDPR involve?
Primarily, GDPR is concerned with a revision of end-user rights.
- Let your users know what changed.
- Update your users on their right to access their personal data.Inform your users they can rightfully correct the personal data they have provided.
- Notify your users that they maintain the right to ask you to completely “forget” them.
- Make sure you don’t store more data than you need.
- Ensure you can easily export your customers data in a format that you can later transfer to another service.
- Educate your users on their right to object to their personal data being processed at all. Find out more here.
On a second level, GDPR is concerned with the processes which businesses monitoring, storing, or handling this data set up in order to safeguard their users’ data, proactively and reactively.
Can I send campaigns to my current list?
By May 25, 2018, you need to have gotten consent from your existing users. Find out more below.
What is the new routine now?
- For your existing users, to become GDPR compliant, the basic areas that must be covered in your new routine are the following:
Map your current database and contacts (who they are, where they came from, etc.)
Review your data practices and publish what you follow.
- For your future users:
Ensure your future practices are compliant with the new regulations.
What are the actions to be taken after a data breach?
GDPR has been designed so that data breaches cannot occur – but, if they do, there are specific steps to be taken by all GDPR-compliant businesses. As soon as you become aware of a data breach of personal data, notify data protection authorities within 72 hours. For the UK, the Information Commissioner’s Office is the point-of-contact authority.
It goes without saying that within the given amount of time you won’t necessarily have all of the details that will be needed later. What does matter though, is an approximate estimation of the number of people affected, the consequences, as well as your action plan, following this. On the grounds of security breach, a data controller or processor could be fined.
Personal data must be saved in CSV or Excel files, or other common formats so as to be easily transferred to another organization, upon request of the individual. This process is time-bound, and must be completed within a month.
Fines for non-compliance
Non-compliance fines could be as high as €20 mn (or 4% of the company’s turnover, whichever is bigger). Meanwhile, Commissioner Denham’s office has stated that higher fines could be claimed in cases of non-compliance in the future. Nevertheless, it should be clarified that awareness and effort to comply with GDPR practices will be evaluated accordingly. Therefore, deciding on a fine will consider a number of things.
When will it be in effect?
According to the EU, GDPR is effective May 25th, 2018. After the announced deadline, fines may apply in cases of non-compliance.
Why does my business need GDPR?
Is your business based in one of the European member states? Then, to certify transparency and security of personal data throughout your company and processes, your EU business must be GDPR-compliant.
When do I need a Data Protection Officer?
Data controllers and processors must appoint a Data Protection Officer (DPO). A DPO is responsible for data protection within a business. DPOs are also in charge of maintaining compliance of the business with the current framework. However, not appointing a DPO could be fined.
Can I still buy purchased lists?
You shouldn’t buy purchased lists. Let’s start there. Second, you should not buy lists. This is on the other end of the GDPR compliance continuum. Besides the deliverability concerns, GDPR might allow certain purchased lists, but, in the long run, is this a risk you are willing to take?
I run a business outside the EU – am I affected?
If your company processes or stores personal data of EU residents, regardless of where the company is based, you must be GDPR-compliant.
Do I get in trouble if I don’t comply?
You may or may not get in trouble. Unless you are willing to risk being fined up to $20 mn (or 4% of your company, whichever is higher) or have customers flooding your offices with complaints of abuse for misuse of their personal data, then you will be GDPR-compliant by May 25th, 2018.
What does GDPR mean for HR?
As we mentioned in our latest blog post about GDPR, company data is not considered personal by GDPR. However, data that concerns employees of an organisation remains so. Achieving GDPR compliance in HR is not an easy task and our friends at BeststartHR created a nifty guide on how your Human Resources department can achieve compliance.
Am I GDPR-compliant already?
What is GDPR? – Further reading at these useful links:
- General Data Protection Regulation (GDPR) – official link – 99 articles
- Information Commisioner’s Office (ICO) – Getting ready for the GDPR – GDPR Checklist for data controllers and data processors