You most likely have heard about the General Data Protection Regulation (GDPR). However, you may not know just how significant it is. It’s a new legal framework in the EU that regulates how companies can obtain and use audience data. A lot of businesses are unsure about how to implement GDPR. This will worry some companies, because GDPR officially commences on 25th May 2018. That means we need to clarify any uncertainties sooner rather than later. This blog answers four of the most frequently searched questions about the GDPR.
Why is the GDPR Important?
Gemalto’s Breach Level Index states that every day, 5,349,463 data records are lost or stolen (as of 18th August 2017). The GDPR introduces new tenets including:
- A 72 hour time frame for reporting a data breach to customers and authorities.
- A new code of conduct for extracting and using customer data.
- Data now should be ‘randomised’ so samples cannot be traced back to a specific individual.
Who Does GDPR Apply To?
The GDPR applies to companies in or affiliated with the EU. This includes:
- Every organization that conducts business with EU companies.
- Companies that employ EU citizens.
- Companies that employ foreign citizens who work and live in the EU.
Microsoft and Google have announced their operations will be GDPR-compliant before 25th May. This is very important for companies that use services such as Microsoft 365 and G-Suite.
How Can My Business Implement GDPR?
First, companies must have a clear code of conduct for how they collect data. Data can only be collected with consent, which can be withdrawn at any time. They must also keep clear records, so they can confirm to customers how their data is being used. Companies must also be able to provide customers copies of their data when requested. Finally, they must erase data on request.
The Information Commissioner’s Office (ICO) place great emphasis on “the accountability principle. The GDPR requires you to show how you comply with the principles.” You can find out more about this here.
Other actions businesses must take to be GDPR-compliant include:
- Appointing a Data Protection Officer (DPO). They are responsible for monitoring GDPR compliance. The DPO must already be well-versed in data protection law. There are certain companies where the appointment of a DPO is mandatory. These include public authorities (excluding courts). You can learn more about the requirements of DPO here.
- Privacy by design. Security is often an afterthought in process design. All products and systems must have security built into them from the outset.
What Are the Risks of Not Adhering to GDPR?
The one sanction that gets everyone’s attention is the heavy fines. Non-compliance can result in a fine of up to €20m or 4% of a company’s worldwide revenue, whichever is greater. Customers could also file lawsuits if you collect data without their consent. You can learn more about fines and penalties for GDPR non-compliance here. Mishandling or illegally collecting data could do severe damage to your public image. Recent examples include the NHS data loss scandal from earlier this year.
Hopefully this blog has answered the main questions you have about GDPR. As a lot of our solutions are data-driven, proper security measures are integral to the work we do. If you’re interested in working with an agency that gets the absolute most out of data, click here to contact us.