Is my Company Affected by the GDPR?
TL;DR Privacy of EU residents needs to be taken more seriously as of May 25th 2018. If you’re going to use someone’s personal data, you have to ask their permission first, and give them the option to change their mind or request the information later. Your company will most probably need to make some changes. And yes, it is as complicated as it sounds.
What is the GDPR and why is it needed now?
This ominous sounding acronym stands for General Data Protection Regulation (GDPR), and is a complete overhaul of an older EU regulation.
The gathering and usage of personal data by organizations has hugely accelerated in the last few years. By personal data, we mean any information that can directly identify someone, or lead to someone being re-identified. Now European Union legislators want to increase the protection of the interests of EU citizens. Fair enough.
Is my company affected?
Most likely: Yes
If you have a web presence, and market your company’s products over the web, the likelihood is that you are affected. The new regulation impacts any company worldwide that processes, transmits or stores data of people living in the EU. And despite what you may have read, companies with fewer than 250 employees still need to comply, though they may be exempt from some of the documentation requirements.
Are you collecting personal information such as email, phone number, IP on individuals based in the EU? Or an example, do you have a newsletter subscription box on your site? As this is open to everyone, an individual residing within the EU has probably registered.
If your answer is yes, the GDPR affects you.
Side note: if you are a national security agency, the police or an intelligence agency, contact your legal department. The lawmakers have designed specific rules for your organizations. But I hope you are already aware of this…!
Which type of privacy data is affected?
OK so the GDPR refers to “personal data”. But what does this mean exactly?
According to the law, personal information includes any of the below:
- Email addresses
- Phone numbers
- Social network information
- Social security numbers
- IP address, browsing behaviour
In addition, if you gather personal data that is classed as “sensitive”, additional steps should be taken and your lawyer consulted. As an example, the data listed below should never be stored on a third party provider such as Mailchimp:
- Sexual orientation
- Racial or Ethnic origin
- Medical information
What’s in it for the end-user?
From both a large organization or small business’s point of view, this is a new burden on processes, with additional and strict compliance requirements to take into account.
But as a user or so called “data subject”, as GDPR calls you (and we are all inevitably one of those at some point), this also means that as of May 25th, you will have additional rights over your data.
Some of those user rights have been enhanced, while others are completely new.
When it comes to my data, as an EU resident user I have now the right:
- To access it: I can request my data from those who have recorded it.
- To rectify it: I can ask to have my personal data changed.
- To be forgotten (new): The company will need to erase all my personal data from their system, and stop any further spread or processing of the data by any third party systems they use.
- To move it (new): In certain cases, I can ask the company to move all of my data to a new service provider.
What is this new focus on user consent?
Consent is one of the new lawful bases for processing customer data and is why you have received so many emails asking for you to opt-in or confirm consent for companies to use your data. If you choose to rely on consent for your data processing, you are required to get it every time you collect new data on your users. Blanket consent to use data for different purposes is no longer allowed - exactly what they are consenting to must be crystal clear. Here is what the regulation states exactly:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
Freely given – means that users need to actively opt-in, a pre-ticked checkbox won’t wash anymore with regulators.
Specific – this opt-in needs to be offered per communication type. For example, if you market to your users via telephone and email, the consent needs to be given per each type of communication.
Informed – you have the obligation to spell out to the users exactly what rights the new regulations afford them.
Unambiguous - the language used in your consent forms and privacy statements must be straightforward and easy to understand
So you are advised to:
- Respect the “Do Not Track” header sent by the browsers.
- Implement a cookie banner if you do not already have one
- Consider adding an “Opt-out” page as shown below.
Note: see our GDPR checklist for a full list of advised actions to become GDPR compliant
But what is definitely NOT ok is:
- Pre-filled check boxes
Withdrawing consent to your data being used must be as easy as denying it in the first place, so you will need to make sure you are ready to offer this to your users or visitors. More information about consent here.
Are there any changes to data security?
The GDPR recommends what nowadays should be best-practice security measures anyway - such as as encryption of personal data, reviews of security measures, redundancy and back-up facilities and regular security testing (see Art.32)
You should be doing everything you can to stop a data breach from happening, and minimize the impact if it does. So encryption and internal security reviews is a good start!
Transferring data outside of the EU? The GDPR identifies various legal grounds for this, so if this affects you you should take a closer look at the exact requirements.
Data Subject vs Controller vs Processor - what does it mean?
The GDPR define 3 different roles, all of which have their own obligations (or rights).
|The user of your website whose data you will be collecting||You, the company|
Your hosting service or Google (Analytics, Ads), Mailchimp, Facebook
Example: your client, the data subject, opens an account on your website. You, as a company are the Controller, and the company hosting the website is referred to as the Processor. In this case you will probably be tracking the user via Google Analytics, so Google will also be a second Processor.
Data breaches: I’ve lost my client's data. Now what?
Under the GDPR, you are required to notify your users within 3 days (72 hours) of a data breach. Plus you will need to inform them exactly what data was lost. This is a much faster turnaround than before. So you'd better be prepared.
How do I become GDPR compliant?
Are you lost? Let’s take some practical steps towards compliance.
The GDPR requires you to your record all your processing activities and have effective policies and procedures in place. To help you with this, we’ve prepared you a “GDPR Checklist”
And what if I don’t care?
More bureaucracy, new roles within my organization. What the heck, not my prio!
OK, it might be tempting not to change anything. And if you are a small company the stakes are probably low. But, the fines for those found flouting the new rules can be up to 4% of your (or your customers’) yearly revenue or more than 20 million Euros, whichever figure is higher... Ouch.
Are there any benefits to GDPR and opportunities to take advantage of?
Or is it just a burden and more administration? It will indeed add complexity for data handling.
But it also might be the best moment to:
1. Start (and finish) that CRM project you’ve been postponing
A CRM will be the central location for all your customer data. In case of user requests to delete, edit or transfer to a different company, having all this data centralized will come in very handy.
2. Get better at collecting and verifying the data you will actually need
The enforced data audit is a good chance to streamline all your personal data collection processes. The data you do hold must be accurate and up to date. This provides opportunities for more precise marketing campaigns and makes sure you are not wasting time collecting information you actually don’t need.
3. Increase trust between your business and your customers
The law change is coming in part due to customer mistrust and ignorance of how their data is handled. If your customers understand how you collect, process and use their data, they will also understand why you are doing it (in most cases, making better products for them to use). In turn, this should lead to increased trust in your brand and hopefully, a willingness to share more specific data that they know will benefit them.
On the flipside, if everyone around you is making obvious efforts to comply with GDPR and you are not, then that singles you out as a company who doesn’t really care about their customers’ rights (that cookie banner implementation isn’t looking so irritating now, is it?).
What about third parties (e.g. Newsletter Tools, Analytics Reporting)
Typically “Processors” which store and categorize personal information have a legal department who have been preparing for this new regulation. They are now GDPR compliant by default. But you might break this compliance if you are sending the wrong data. Or are not gathering consent correctly from your user.
An example with Google Analytics
When you install the Google Analytics tracking code on your website, it will start sending information to Google. As a Controller or Processor, you need to make sure this information is GDPR compliant. In this case, anonymized. If this is not the case and a user wants you to modify their information, you would be forced to delete the entire account, containing ALL your data. This is because you can’t modify the data in Google Analytics.
By default, the Google Analytics tracking code doesn’t send IP addresses to it server, but you should look out for:
- Any campaign urls that leave little doubt who is concerned (e.g. https://mysite.com?birthday=1980-09-12&city=Basel&companyName=Baloise&gender=female)
- Your digital marketing agency setting up a customized tracking event. It is possible to send additional personal data to Google (phone numbers, or email).
This is not allowed anymore under the GDPR. If you want to dig deeper in this topic, you can check out this article.
Some more resources from well-known third parties:
Now it’s your turn!
It’s time to make your first step toward GDPR compliance.
Or get in touch with us, so we can guide you for the next step.
We have trawled the regulations and created this post and are working on a checklist to help you comply, but also to get our own compliance in check. You might be wondering why our website is not fully compliant yet. We have a plan & we are working on it. Over to you!
Disclaimer: This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not hold us liable for the information given in this article.
Got any more questions? Talk to us today!