GDPR or General Data Protection Regulation will replace the Data Protection Directive 95/46/ec starting from May 25th, 2018. This law regulates how companies are protecting the European Union’s citizens data. Its purpose is to impose specific uniform data protection laws, in order to create consistency across the EU. This way, the member states will no longer need to write their own set of laws.
This blog post takes a closer look at the regulations around processing personal data of customers, prospects, fans and lovers of your brand and/or company. If you fail to be compliant you risk severe fines, of up to 4% of your company’s global turnover from the previous financial year, or a fine of up to €20 million, whichever is higher.
You probably wonder which are the most important GDPR requirements:
- The consent of visitors for data processing;
- The anonymization of collected data in order to allow a proper privacy protection;
- Providing safety in the process of data transferring across borders;
- Offering data breach notifications;
- The existence of a data protection officer which oversees the GDPR compliance.
Who is the subject of GDPR?
Every company that markets this target audience is subject to this law, regardless its location. Therefore, the GDPR regulations will have a global impact. The regulations apply in the context of data controllers, processors or data subjects based in the European Union. Moreover, it applies to organizations based outside the European Union if they collect or process data of European Union’s residents.
According to the European Commission, the subject of personal data involves any information, whether if it relates to the public, professional or private aspects.
For instance, it can be an email address, a photo, a post on social media, an IP address or a medical information. All this data must be protected according to the newest regulations.
Each member of the European Union has the obligation to establish an independent authority with a role in sanctioning the offences and investigating the existing complaints.
Each state’s supervisor authority will cooperate with the other supervisors in order to organize joint operations and provide assistance. An exception to these regulations is making the data processed in the context of employment or national security.
Penalties for companies that fail to achieve the new compliances
At the moment, Data Protection Directive does not have strict penalties established for non-compliance. General Data Protection Regulation will bring some interesting changes when it comes to penalties for companies that fail to achieve these new compliances.
The Supervisor Authorities will have more jurisdiction than the previous laws because it will impose a standard across the European Union.
They will have the authority to investigate, issue warnings and perform audits. They can require improvements, prescribe deadlines or even block companies from transferring data to various countries. In case the companies will not adjust their approach by the new legislation starting with May 2018, they risk being subjects of fines. Their value may reach up to 4% of the global annual turnover.
Here’s a list of the sanctions that can be imposed:
- warnings for non-intentional or first non-compliances;
- data protection audits;
- fines up to 1.000.000 euro or up to 2% of the global annual turnover in case of the infringement of the provisions form Art. 84, Paragraph 4.
- fines up to 2.000.000 euro or up to 4% of the global annual turnover in case of the infringement of the provisions form Art. 83, Paragraph 5,6.
Requirements of GDPR
General Data Protection Regulation contains 11 chapters, with 91 articles. We made a list of the most important stipulations that will impact your business’ security operations. Here are the key changes with the GDPR:
Transparent policies – processors will need to:
- provide notice of data collection;
- explain processing purposes and use cases;
- define data retention and deletion policies.
Personal privacy – users will have the right to:
- access their personal data;
- remove their personal data;
- correct errors in their personal data;
- export personal data;
- object to processing their personal data.
Controls and notifications – processors will need to:
- protect all the gathered data with appropriate security practices;
- notify the authorities in case of breeches;
- keep records of data processing;
- receive consent before processing personal data.
IT and Training – processors will need to:
- Employ a Data Protection Officer;
- Create and manage processor contracts.
- Train the employees;
- Audit and update the data policies;
What you need to know about the consent
What will you need to change in order to collect data from people that visit your website, subscribe to newsletters, fill out contact forms etc.
- Consent should be separate from business terms and terms and condition
- You can’t use pre-ticked boxes
- No more making consent a precondition of a service
- Separate consent for different topics, one box doesn’t fit them all
- Keeping a record of when and how an individual gave consent
- It should be easy for an individual to withdraw their consent at any time
- You must include the name of your organisation and any third party controllers who will rely on their consent
- You have to provide details of why you want to collect personal data and what you will do with it
Why is GDPR good for your business?
Here, at Baldwin, we think the benefits of being GDPR compliant make the investment worth. Here’s why these regulations are good for your business:
It will help you create a good reputation
Cybersecurity must be a high priority for both business owners and clients. The risk of having data breaches is not exactly a selling proposition for your business. Having a GDPR certification gives you a great advantage in marketing terms. It will help you boost your business’s reputation and it will label you as a secure choice in the eyes of your prospects.
It will help you achieve customer loyalty
The simple fact of having a better cybersecurity will help loyalize your existing clients and turn them into happy promoters of your brand.
It will help you gather more accurate data
GDPR also require companies to offer access to clients on their personal data. They will have the right to access, erase, correct, and export it as they wish. Data controllers will have the obligation to identify errors and correct them. This way, the accuracy of data stored will be improved.
Overall, it must be said
General Data Protection Regulation shouldn’t be something that keeps you up at night. Yes, it may request considerable investments and changes, but it will be worth it. After all, the new requirements will bring various benefits for your business and consumers alike.