Is your inbox flooded with emails updating privacy policies? There’s a reason for it — and that reason is the General Data Protection Regulation, or GDPR.
It seems like everyone is talking about the GDPR these days. But why now?
Well, the thing is, GDPR has been in the works for the past seven years. But recently, there’s been an agreement as to what this data protection reform will truly entail.
Basically, the GDPR is a set of regulations designed to provide more control over personal data for European citizens. Apart from that, this reform will also regulate general consent and privacy laws in the online world, creating new standards for data processing and storage overall.
At least 50 percent of organizations have stated that they will struggle to be GDPR compliant unless they change their operation significantly. And this might be a European regulation, but it doesn’t just affect Europe.
Online businesses all over the world are advised to comply with new GDPR regulations — the GDPR is applied to every company inside the European Union, AND any organization outside the EU that provides products or services to clients or businesses within the EU. Chances are, the majority of worldwide corporations will have to be GDPR compliant... including you, if your company falls under the UK’s Data Protection Act.
Think of it like this – Facebook’s main headquarters are in America, but people living in Europe and all over the world can sign up for Facebook. So, since Facebook is offering services to Europeans and collecting their data, Facebook has to be GDPR compliant, even though it’s situated primarily in America.
Don’t be afraid of becoming GDPR compliant, though. Even if you don’t technically have to be.
GDPR compliance can only do you good. You will be using a system that’ll process personal, sensitive information about your customers (or email subscribers) while keeping all of that data safe. In reality, everyone can benefit from the GDPR.
The good thing about GDPR is that it comes with strict rules and guidelines regarding the data collection. That means no more blurry lines and more regulation. But that also means that those who have to be GDPR compliant will face penalties if they don’t adhere to the new regulations.
There are two distinct types of data handling – the people (or an agency, authority, etc.) in charge of processing the data, and people in charge of controlling. With this setup, each of the two sides is fully responsible if misuse occurs, but if everyone follows the rules about data protection, breaches will be less likely. Before GDPR, there was no real solution if something happened to the data.
The first step in becoming GDPR compliant is to take a good look at the data you collect. Is that data personal? If it is, then you should apply GDPR rules and regulations.
If any data (a single piece of it, or the entire group) can identify the person, then it’s personal data. In that case, you have to get consent from these individuals, inform them how their data will be used, and for how long. Also, you have to give them insights into the data you have, and allow them to delete it if they want.
Some typical examples of personal data include names, addresses, photos, and even the IP address is considered to be personal data.
Furthermore, if they don’t want to delete the data, you have to perform a certain activity in order to protect that data. One of the ways to do so is pseudonymization.
While the name is complicated, the idea is fairly simple. Pseudonymization is a data management technique where the main goal is to depersonalize data so that it can’t be traced back to a person, not unless you use additional data — this is like a key. Without that key, you can’t uncover the original piece of data which makes it encrypted.
GDPR also has a list of rules about the storage of all those encrypted keys so that the depersonalization process and information remains safe.
Both personal and encrypted data represent different puzzle pieces, where if you take one out of the equation, you can’t see the whole picture.
While there are similarities, the main difference is clear. Encryption isn’t set in stone and there are several ways to achieve it. The end result is the same – the data is protected and encrypted.
The difference between encryption and pseudonymization lies in the fact that you can’t process the encrypted data unless you return them to their original, unencrypted state. With pseudonymization, you only temporarily anonymize the personal data so that during the data processing, no one can connect them to the actual person.
Basically, while encryption is much safer and complete, it’s also technically very complex to achieve, and pseudonymization lets you encrypt just the sensitive parts of data. It could be roughly translated to a real-life situation where you are conducting a public questionnaire, and the answers are anonymous, but the end result is the same – you get the data you were looking for.
In order to process data, companies need to use pseudonymization if they want to be GDPR compliant. They can choose not to be, but they’ll be facing multiple fines that could go up to millions of dollars.
With pseudonymization, data can be used in analytical, exploratory and statistical research, but also with the consent of the data owner. And companies will also have to have that consent readily available.
Apart from pseudonymization, there are several technical solutions companies can implement to make sure this data is protected. It’s best to reach full encryption if possible, but other than that, companies can make sure that their current systems can sustain the policy changes.
Another way to protect data is to strengthen the systems in place. Build necessary safeguards in the systems, but also make sure that they are built into the products and services from the early stages of development.
GDPR rules will start applying on May 25, 2018. As of this date, all EU organizations and companies will have to be compliant with GDPR.
While many businesses think that GDPR is just a nuisance, they’re incentivized to comply with new GDPR rules because the fines are gigantic. The penalties can range from 10 million euros (more than 11.5 million dollars) to 20 million euros (23 million dollars), or two to four percent of a company’s annual global turnover, which could be worth billions of dollars for some companies.
Businesses can be fined if they transfer data without authorization, ignoring people’s request for data insight and data removal. Fines can also impact companies who don’t notify users and authorities in the first 72 hours after a breach has occurred. Another instance that can incur a fine is by not appointing a person in charge of GDPR rules and compliance — a person responsible for data protection within the organization.
Every organization that handles sensitive data, including processing, monitoring and behavior tracking, has to appoint a Data Protection Officer. That means that companies that use digital marketing strategies probably have to be GDPR compliant.
Being a DPO doesn’t require a certificate, and there are only a set of guidelines, not actual legislation, on who should be a Data Protection Officer. Mainly, that person should have experience and understanding of data protection laws and should have to carry out activities to make sure that the company is compliant. That person is also held responsible if the company isn’t compliant.
Also, depending on the company size, there could be just one DPO or the entire department dedicated to minimizing the risks and maximizing data protection.
There are several ways companies can ensure that GDPR is taken seriously and executed by the company.
Marketing departments inside companies are the ones who generally use sensitive data from users, but it doesn’t matter who handles data inside the company. The company as a whole needs to be compliant, and here’s a checklist to help simplify the process.
You need to have someone who will oversee and revise all internal processes and make sure that your company adheres to guidelines. If you believe you don’t have anyone within your company who can perform such a role, then you should look into hiring someone who can. Also, there are now GDPR training that your current staff can take to learn more about GDPR.
Until your marketing staff learns the ropes, a DPO should oversee your marketing campaigns and approve them before launch. This way, you can be sure that everything is in order and that you are remaining GDPR compliant.
Chances are your email list will be culled, but as you now know, that is a necessity. However, you still have to make sure that all future data collection is also GDPR compliant. Your data entry points also have to remain secure. These include newsletter signup, all account registrations, various events, purchase lists, securing transferred data to partners and, well, any type of data use and collection. Users should give you consent for all your data operations and you should explicitly point out all the activities you will perform with their data.
Teach all decision makers and marketing staff about data protection and protocols in place. You can even scale this to educate all your employees about the new rules and processes. This could be done through seminars, training, handing out booklets or online manuals — whatever works for your business.
One of the steps to becoming GDPR compliant is to minimize the data you’re using in everyday processes, if possible, and to delete the data when you no longer have a need for it.
Send an email to all European residents and request that they renew their consent if they want to be on your list. This can be done through email, mobile app or even direct mail. GDPR policies strictly prohibit sending a new email to individuals who have previously unsubscribed from your list.
There are two new terms that should be recognized and observed in this new GDPR era. Basically, we've already said that new products and services have to come with a built-in mechanism that will comply with the GDPR rules. Privacy by design means that companies should think about, and plan in advance, how to include data protection policies, even in the early project stages, as well as in the rest of a project’s lifecycle.
Data processors have to secure data privacy by default, which means that the personal data isn’t available to anyone except the data owner. Also, processors should only collect the minimum necessary personal data for the purposes of processing, without storing this data after completion.
Try to secure a technical solution that will solve many of these issues for you. That could, for example, be a software that will automatically delete certain personal data.
In order to stop the possible breaches, and to comply with the GDPR, it’s better that companies place various tests, case studies and reevaluation processes in motion.
Make a GDPR compliance checklist for every new system, media campaign, project planning action or anything similar. That way, your employees can evaluate the process quickly, and notify the people in charge if the project fails to comply and misuses data in any way. Sure, companies or employees might think of these added steps as a burden, but it’s better to be safe than sorry.
Just remember those million-dollars fines.
Apart from securing the previously collected data, you have to make sure that the future data collection is secure from the get-go. You can use simple, natural language when you ask for consent.
Masking it behind complicated lingo can be very misleading. The consent people provide should be clear and unambiguous. Make sure that you clearly outline how will you use the newly collected information.
Companies have to understand that they cannot ask for personal information without a proper cause. Not even if the storage of that information is in-line with the GDPR rules. Companies should ask for legal assistance to prepare a legal basis for each data collection and processing activity.
New forms could include the age of the user and even country of residence to determine if the GDPR rules apply or not. Also, your customers have the right to know whether their data will be transferred across borders. At all times you have to make sure there’s a mechanism in place that will allow users to withdraw their consent, or even file a complaint.
If people ask for the insights into their information, companies must comply and provide a response that isn’t delayed without a reason, and at the latest, it should be sent within one month after receiving the request.
European Committee has published a new law proposal concerning the ePrivacy Regulation. It’s intended as an update to the existing “Cookie Law”, that will also be in accordance with the already used GDPR law.
While GDPR is concerned with data protection of personal data, the ePrivacy law wants to regulate the privacy of a user’s personal life. This way, the online communication can protect the user. There are many sectors and industries that are affected by these laws. The European Committee believes that there should be two different sets of rules that are based on different human rights.
This new ePrivacy law can impact the marketing industry quite a bit. More than 92% of people are worried about their online privacy and how their data is used for marketing purposes. They are extremely worried about the insight that companies have into their lives, especially when monitoring their online activities, email content and messages. That is why this notion evolved from the GDPR, and personal data protection, to the ePrivacy law, and the rest of data.
Basically, there will be much more regulated rules and policies regarding the obtaining of consent for all marketing purposes. This includes the behavioral marketing strategies as well. With the new ePrivacy law, companies won’t be able to use any data from the electronic communication, information stored in the devices used by the consumers, or any other information, without the user’s consent, unless it’s needed for the immediate data processing.
Since companies have been sending out emails offering people to opt-out from their mailing lists, scammers have figured out a way to use the whole GDPR compliance for their phishing scams. You can’t really escape the irony that hackers are purposefully targeting people that are trying to keep their data secure with new GDPR rules.
If the company asks if you want to remain in their database, that’s probably not a phishing scam. However, if at any point you receive a message where you are supposed to send any personal data or information again — like names, addresses, usernames, passwords and even payment information — steer clear. A real company would never do that over an email.
Again, like with GDPR, the power of privacy control is returning to the data owner. With this new law, users will be able to provide consent for using cookies or retract it, right in their internet browsers.
These new privacy laws will be applicable to all messaging services, including Facebook’s Messenger app, Viber, WhatsApp and Gmail.
Many of these measures will directly impact the future of digital marketing, but it’s still early to say or even predict how this will pan out. We’ll just have to wait and see, keeping an eye on our data in the meantime.
Does your business need some help staying up-to-date with all of these new data regulations? Check out DesignRush's list of the best cybersecurity and risk management companies that can help streamline the process when the GDPR regulations hit.
Want more business insights? Sign up for our newsletter!