What is GDPR?
GDPR stands for General Data Protection Regulation. This new regulation is set to take effect this May 25. But what is it really and would affect you in any way? If you’re not a resident of a European Union (EU) member country then May 25 won’t mean anything to you but if you are a digital marketer or even a casual blogger, pay close attention to this article.
As of June 2017, there are about 433,651,012 internet users in EU. That’s 85.7% of the EU’s population and 11.3% of the world’s internet users. About half of the EU’s internet users are also Facebook users – imagine the collective amount of data that these people share and consume daily. The inherent risks and the latest issue of a large-scale Facebook data breach had EU concerned. The concern is not unfounded. Existing data laws, especially in Europe are outdated. The last law was actually enacted 20 years ago. A lot has changed in personal data processing since then. This is where GDPR comes in.
GDPR focuses on the protection of the personal data of EU citizens. The regulations would specifically address how online entities process and handle said data. The daunting part about this is that personal data has such a broad spectrum. Anything from the email address used for sign-ups to even just your lists of names of possible leads is all personal data. It won’t be surprising for a digital marketer from the opposite side of the world to have someone from the EU on their contact list.
Having access to these data doesn’t automatically subject you to the wrath of the EU and the GDPR, though. Not unless you won’t comply with the set of rules that comes with the regulation – the EU is very serious about this and you won’t want to actually step over the line.
GDPR Checklist: Things to Remember
Sometimes non-compliance is a result of lack of awareness or carelessness. In order to avoid any incidences where you’re caught off-guard, make sure to consult this checklist and check for any new laws and regulations from time to time. Take note that this GDPR checklist is not exhaustive. This list includes information from different sources. For a more thorough and accurate analysis of GDPR, refer to the official documentation for the regulation.
- Data Identification and Classification
- What type of personal data belonging to EU residents do I handle and process? (Conduct data inventory)
- Customer lists
- Transaction records
- Cookies and/or IP addresses
- Employee/contractor records
- Are any of the data I process sensitive?
- Health data
- Political Leanings
- Philosophical beliefs
- Group memberships
- Genetic information
- Sexual orientation
- Biometric data
- Are these data necessary? What are their purposes?
- It’s a vital part in the delivery of services
- It enhances the delivery of services
- The data is used to benefit both the data subject and my business
- The data mostly benefit only my business
- Your Data Process in the Context of GDPR
- Is your collection of data legal? Did the data subject:
- Gave consent for the collection of data
- Become privy of the stipulations of the data gathering process especially the data transfers to third-parties
- Had the option to refuse the collection of his/her personal data
- Did you process the data in order to:
- Fulfill your end of the contract as per agreed with the data subject
- Comply with legal obligations that you are a subject to or exercise your official authority in the name of public interest
- Protect the interest of the data subject and other data sources especially real people
- Perform necessary actions in the interest of your business or third-party
- How did you handle the data?
- You did not use the data to violate any fundamental rights of the data subject
- You did not share the data with a third-party that aims to violate any fundamental rights of the data subject
- You did not transfer data to third parties outside of the European Economic Area (EEA) or to third-parties that do not have Privacy Shield certification.
- You protected the data subject’s personal data against any malicious interests
- GDPR Summary: Self-Assessment using a GDPR Checklist
Based on your answers on the above checklist, perform the following tasks to make your data processing and handling compliant or up-to-date to the recent regulation. By this point, you may have noticed some practices that in your website that needs improvement not only in compliance to GDPR but in order to further improve the system.
Here are the things you should change or update:
- Make your Privacy Notice GDPR compliant
- Include details on how you process personal data, where and how you use said data, how you secure the data and your legal grounds for processing the data.
- Add the new notice on every page of your website
- Send a copy of the notice to your subscribers
- You also need to create a separate document for the Employee Privacy Notice wherein you detail your lawful grounds in processing employee data.
- Include a GDPR-compliant wording in your opt-in or the sign-up process. You can place this underneath the sign-up box together with the link to your GDPR compliant Privacy Notice.
- Create GDPR-compliant consent requests.
- Send the compliant consent request to your email list for electronic marketing communication
- Ask for consent from data subjects when there’s a need to process sensitive data. You can implement this through forms or double verifications
- Create a system in recording consent request responses through an email marketing system.
- Record consents sent through opt-ins
- Record opt-outs
- Create a system for data subject requests.
- You need to respond to the request within 30 days
- The request should be free of charge
- Setup a GDPR-compliant Processor Agreements.
- Create a GDPR-compliant written agreement with any third-party entities that you transfer personal data to
- Adapt the agreement according to your business/specific needs
- Include a checklist to assess compliance with the privacy laws and technical requirements
- Create a Data Retention Policy.
- You may need to appoint a Data Protection Officer (GDPR would advise businesses if they need one)
- Create a data breach notification system.
- The system should be able to identify any discrepancies in the data processing including loss, alteration, unauthorized access and disclosure of data, and a risk in the rights of the data subject
- Review your data security to ensure that no data breach would occur in the first place
- Upon detection of a breach, you should notify the ICO within 72 hours.
- Perform a Data Protection Impact Assessment (DPIA)
- Perform this assessment every time there is a breach or there is a chance that the data processing causes a high risk to the rights of individuals, whether they be the data subject or not.
So, What Will Happen if You Fail to Comply?
It’s quite straightforward. You must either pay a fine that can amount to €20 million or 4% of your worldwide income in the past 12 months. That’s nothing to scoff at. But still, even in a technological standpoint, the effectiveness of the enforcement of such a regulation is still in question. And to some GDPR only applies to giants like Facebook, Twitter, and other social networks that handle huge amounts of user data. High profile breaches like what happened to Facebook almost always creates ripples that affect legislation. This is far from the truth. Companies that meet these criteria are required to strictly abide with GDPR:
- Companies with operations in any EU member country.
- Companies that process personal data belonging to EU residents.
- Companies with more than 250 employees.
- Companies with fewer than 250 employees but present huge risks in the rights and freedoms of data subjects due to its data-processing activities.
But sometimes, non-compliance doesn’t just amount to fines but also to reputational damage. Nowadays, people are easy to assume guilt especially if the crime involves the violation of trust. This is very risky especially for digital marketers – reputation is quite an investment in this industry.
This may sound grave but the GDPR won’t be the last. As internet industries continue to evolve governments would also want to catch up with laws and regulations that can protect the general population.
Other things to consider:
- It is advisable to consult your insurance broker to ensure that you have sufficient insurance coverage in case you incur fines or other liabilities from any GDPR violations.
- You’ll need to pay a Controller Charge. Those who process personal user data are called “data controllers” or “data processors”. After the implementation of the GDPR, controllers no longer need to register with the ICO as you’ll now pay £40 to £2,900. This fee system will only begin after your ICO registration expires.
- You’ll need to train your employees in handling data processes in compliance to GDPR.
N.B : This is what i learnt from a GDPR training i had in kuwait by a UK GDPR Lawyer, this is not a legal advice, each business is unique, therefore you should hire a quilified lawyer to audit your online business.