May 25th, 2018 will forever have the dubious title of GDPR-day. It was the day that the General Data Protection Regulation (GDPR) was enforced. Originally adopted in 2016, organizations were given two years to prepare for GDPR’s enforcement.
However, many businesses are still not compliant with GDPR, with some 10% of small businesses said to be prepared for the Regulation. There are dire consequences for organizations that do not comply with the Regulation – a fine of up to €20 million or 4% of global revenue (whichever is greater). A sum that will dent many large organizations’ bottom lines, and sink many start-ups.
Consequences of not complying
The consequences of non-compliance aren’t just financial. With many high-profile data breaches, the public’s trust in organizations’ data use is shaken. The most recent one following May 25th was from Dixons Carphone. It involved a breach of 1.2 million customer records and an attempted compromise of 5.9 million credit and debit cards. Under GDPR, the company could face a potential fine of £423 million. This is significantly more than its last fine – £400,000 for a data breach in 2015.
But loss of trust could be more damaging to an organization. Re-building a brand reputation following a data breach could end up costing a company more in the long run. Under GDPR, individuals have more rights to their data and what companies can use it. Following a breach, many customers might choose to remove all consent for their personal data use. For affected companies, that might make it impossible to run many daily operations – marketing analytics and personalization, for example.
GDPR is worldwide
It’s important to note that the GDPR has a global impact. Despite the Regulation originating from Europe, it affects any organization that uses European citizen data. U.S. companies are still required to comply with GDPR when doing business in Europe and using the personal details of people living there. Likewise, businesses in the UK are still required to comply with GDPR despite Brexit. This is because GDPR has been ratified into UK law as the Data Protection Bill.
As a consequence of GDPR’s far-reaching requirements, several companies have removed all access to services if a user is based in Europe or the UK. Instapaper is temporarily pausing services in Europe until it gets to grips with the Regulation, whilst Unroll.me has completely withdrawn its services. Some U.S. news sites, including the LA Times and Chicago Tribune, are also unavailable to European readers.
GDPR is the largest data law to date, with a broad set of requirements that affect all businesses and all departments.
Consent is the most publicized requirement of GDPR and the one that struck fear into many business leaders. Under GDPR, the ownership of personal data is no longer a gray area. Previously, a business such as Fitbit could argue that it owned any data collected through its devices. However, now any personal data belongs to the individual involved.
For businesses, this means that consent must be freely given for any personal data use. It also needs to be reviewed regularly. Organizations must now have clear processes for gaining consent and reviewing it. Plus it needed to prove that consent has been given for specific activities.
On that note, consent needs to be given for each and every use of personal data. If a business wishes to use data to segment its customers, then it needs to get consent. If the same data is going to be used to predict sales, then consent needs to be given again.
Consent must be freely given. Offering an exclusive voucher to people who give consent could be seen as being in breach of GDPR. Similarly, filled-in check boxes that someone has to unpick in order to opt-out are not GDPR compliant.
Under-16s cannot give consent for their data use. Businesses will have to filter out any customer who is under-16 or gain consent from their parents/guardians.
Under GDPR, businesses are going to have to make sure their data management is watertight. Records of consent must be stored with the data it relates to. Withdrawal of consent needs to result in the deletion of personal data. If consent is withdrawn and that data is then used, it’s a breach of GDPR.
Data security is paramount. Any breaches need to be reported to the relevant data authority within 72 hours. Data leaks are likely to result in a punitive fine under GDPR.
Individuals have a right to:
- See how their data is being used
- Ask for data to be moved to another organization
- Have their data deleted (within a 30-day deadline).
Procedures will need to be in place to ensure all of this happens when requested.
On the eve of enforcement, almost half of the general public hadn’t heard of GDPR. That’s despite a flurry of emails and other efforts by businesses to gain consent.
Clear communication is key for all businesses. Because of the requirement to obtain informed consent for all personal data use, any requests to use customer data need to be understandable. Bayes Theorem might mean something to a team of data scientists, but it’s likely to draw a blank look from consumers. Language needs to be jargon-free. Therefore, it’s worth running any consent requests past a professional writer or a non-technical employee.
Data protection officers
Some organizations will have to appoint a Data Protection Officer (DPO). If a company carries out any regular monitoring through personal data, or if it uses sensitive data (this includes data on race, religion, sexual orientation, criminal convictions and health) then it will need a DPO. Small businesses and start-ups are not exempt from this requirement.
Thanks to the scope of GDPR, it will affect every department in an organization. Employees must understand the Regulation, why it has been brought in and their role in compliance. Workshops can help liven up an otherwise dry subject. Organizations need to make the Regulation feel relevant and understandable. Because of its consequences, GDPR is not another box-checking exercise. It’s a good idea to break down the requirements into a series of training exercises.
It is vital to explain why data is so valuable. Some kind of value exchange could help bring this to life – a bake sale where employees can get a cupcake for an email address, for example.
Consider third parties
Businesses don’t just have to consider their own compliance. Any third parties that use customer data should also be compliant if working on behalf of the business. A digital marketing agency that creates email newsletters for a retailer has to be GDPR compliant. If not, both the agency and the retailer could be in trouble.
The future impact of GDPR
GDPR ushers in a sea-change in how we use and view personal data. Consumers are becoming more aware of the value of their data, and organizations need to step up in order to gain the public’s trust. The stakes are now higher than ever for any business using data. That includes businesses outside of Europe.
U.S. companies cannot rest easy in the belief that GDPR doesn’t apply to them. At the same time, the awareness of data value and security is filtering through to U.S. consumers as well. It may also hit U.S legislation. The CONSENT Act has now been proposed to curb data collection by social networks and online companies.
There is a cultural change occurring and consumers are holding organizations much more accountable. Data is the new oil, that means it’s worth quite a bit. People are realizing the value exchange that occurs when a company uses personal data. They are beginning to demand a fairer deal from organizations.
Ultimately, the higher standards demanded by GDPR and other new data laws can only be a good thing. It requires businesses to step up and use data responsibly – or to risk the wrath of regulators and the public.