On May 25th the new European privacy regulation (GDPR) came into force. What does this mean for your business and which tools can make your post-May-25th-life easier?
Does your company need to be GDPR compliant?
Let’s face it, the GDPR is all around. Even US companies are not out of its scope. You better get to work if your business falls into one of the following categories:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
Why is it so important?
Being compliant with GDPR isn’t just about avoiding large fines (up to 4 percent of your global revenue). Most of all, it is about building a trustworthy and beneficial relationship with your customers. According to a RSA-survey on data privacy, 72% of US respondents said they would boycott a company that repeatedly showed no regard to for protecting customer data. On the other hand, fifty percent of all respondents said they would be more likely to shop with a company that could prove it takes data protection seriously.
What are the 3 key components you need to pay attention to right now
Don’t panic if you failed to meet the May 25-deadline. According to a survey by Solix Technologies (December, 2017), 22 percent of companies were still unaware that they must be GDPR-compliant. Even more so a quarter of London business hadn’t even heard of GDPR in January of this year. Very few companies will have been 100 percent compliant by May 25th. So you are not alone.
But that doesn’t mean you shouldn’t make an effort to do the necessary changes in your data management systems. The General Data Protection Regulation describes a couple of key components (apart from data security) you need to pay attention to:
1. Right to be forgotten (deletion)
Individuals can exercise their right to be forgotten. They can ask you to delete all their data from your systems. You have to comply within 30 days (although there are a few exceptions). Data can be kept if it has undergone an appropriate process of anonymisation.
2. Fair and lawful basis of processing
Prior to processing their personal data, your (potential) customers must be informed about its purposes, what data will be collected, their data protection rights, … If you outsource some of the processing to an external organisation (e.g. If you use a cloud app to send your emailing campaigns, to connect other apps or as a CRM tool), there has to be a contract guaranteeing that your outsourcing partner provided sufficient measures to meet the standards of the European privacy regulation. You also need to be able to track where and when you required the lawful basis for processing someone’s data. This can be an opt-in, signing of a contract or legitimate interest (e.g. starting a trial) in your product or services.
3. Access and portability
If someone asks you to access their personal data, you must confirm whether or not you are processing their data (and why) and provide them with a copy of all the data you are holding about them. They have the right to correct personal data if necessary. Individuals are also allowed to transmit their data to another organisation or company.
Download your free GDPR checklist!
Not sure where to start? We created the ultimate checklist to collect, store and manage consent under GDPR. Best part? It’s completely free!
Disclaimer: The contents of this web page do not constitute legal advice. This page is for informational purposes only, and we strongly encourage you to seek independent legal counsel to understand how your organization needs to comply with the GDPR.