GDPR and your Company
Understanding what the impending European data privacy regulation is all about is half the battle in preparing your company for its implications ahead of 25 May 2018. The EU GDPR has manifested in response to a society that lives and breeds data; sharing, collecting, storing and using it for everything from online banking to social media, personal contacts and the very unique thumbprint of your personal computer, aka your IP address.
The mailing lists people are signed up to which flood inboxes with marketing debris, the ads that show up on Facebook mirroring recent sites visited; all the ways companies reveal why they’re collecting personal consumer data in a bid to tailor their communications and ultimately customer service is what has led to the generation of the GDPR directive. Calling into question whether more targeted communications is the only purpose for data collection, the new regulation aims to clarify exactly where that information goes after it is flung out into the virtual ether.
What companies facing the arrival of this new European privacy regulation must know is how it will affect their business, because contrast to popular belief, the GDPR will affect more than just a company’s IT operations. Sales and marketing activity will also come under fire as the new regulations aim to hold the company as a whole accountable, ensuring that every facet is complying with the new directive.
This means that a simple piece of email marketing will require more than just a ticked box and opt-out option to pass the GDPR standards of data privacy, with companies now forced to review their business processes, applications and forms in order to evolve their approach to data to fall in line with double opt-in rules and email marketing best practices.
Furthermore, it won’t only be companies housed within the EU and EEA regions affected by the GDPR as it will apply to any company, worldwide, selling goods or services to and storing personal information about European citizens. This is regardless of whether the data processing is occurring in the EU or on another continent. The advice is, as most will already be aware, to hire a data protection officer or data controller whose job it is to continuously monitor your company’s activities, processes and data usage to ensure it is compliant with the GDPR. The penalty for failing to comply with the directive is exorbitant, with companies looking at fines of up to 4% of their annual global revenue or €20 million, depending which is more.
As 25 May fast approaches, for those companies who the GDPR will change the way they handle data, there are things to be done companywide. For employees new and existing, review current employee documents, i.e. contracts or other documents referring to permissions for data processing that may require employee consent, while for incoming hires make the necessary adjustments to employment contracts, privacy statements and disclosures in order to highlight the additional legal basis for data processing.
Dispose of any unnecessary data, something that will prove more difficult once the GDPR is enforced, and implement more stringent security measures and safeguards to better protect against data breaches. These safeguards should also cover external suppliers as they and their networks are a digital extension of your own making you as vulnerable as they are. Companies should also set certain procedures and policies in motion for how they intend to handle personal data under GDPR to ensure all involved have a distinct framework within which to operate.