Is your business or brand ready for GDPR?
What’s the fuss behind GDPR all about?
I bet by now you’ve seen every business or company you’ve subscribed to flooding your email inbox requiring you to read and agree to their updated version of Terms of Service (ToS), Privacy Policies, or GDPR-compliant email campaigns? Here’s a refresher, GDPR is more than just an inbox-clutter and clogger.
We will be guessing right that the sites you visit frequently request you to agree to their updated version of Cookie policies, privacy policies, GDPR-compliant websites, or GDPR-compliant email campaigns?
These are new policies and business practices as it relates to individuals’ data privacy are as a result of GDPR-The General Data Privacy Regulation.
Are you ready or is your business ready for GDPR?
Don’t sweat it- we understand that not all business owners are GDPR ready, so you’re not alone in this. The whole GDPR can sound so confusing and with all the other business stuff you’ve to keep up with. This is why we have has this guide to help you navigate the murky waters of The General Data Protection Regulation (GDPR); basically educate and inform you of GDPR, what it stands for and what this legislation requires of us as business owners. Moreover, GDPR is not only limited to online businesses but it also includes traditional businesses that are involved in collecting and processing of consumers’ data. So it’s in your best interest as a traditional business owner using consumers’ or personal data for marketing and advertising and outreach.
What is GDPR?
First of all, General Data Protection Regulation (GDPR) is a legislation that has been in work for years. It was officially enforced on 25th May 2018. It is heralded as the most important change in data privacy regulation in 20years. The law or legislation is a replacement of the Data Protection Directive enacted in 1995. The 1995 Data Protection Directive initiated the minimum requirements and standard for personal data processing in the European Union (EU). In essence, GDPR laws give individuals more control and power over the data collected and processed by companies and businesses, not only in Europe but across the world.
Individuals will now have the power to ask companies to disclose how they got their personal data and request deletion of their personal data they have on their possession. Regulators are also allowed under law to launch separate and appropriate actions as per their jurisdictions to enforce this legislation. In addition, regulators have also been given powers to enforce to the teeth the GDPR legislation. Violators of this legislation risk heavy fines levied on them, with a maximum fine of € 20m (US$ 24m) or 4% of annual turnover (whichever is greater).
GDPR is creating even tighter laws in Europe which already has far more stricter laws around what businesses or companies can and cannot do with individual’s data. In essence, GDPR isn’t designed for companies that are located and operating in Europe Union (EU), the laws will affect any company or business that offers products and service to EU citizens(anyone living in Europe).
This means that if you are SaaS Company with users in UK or have users who have downloaded an app in France or Italy- then you have no option but to abide by the new legislation.
What’s GDPR definition of personal data?
We’re glad you’re asked…
For you to understand what type of personal data you are allowed to collect and process, you’ve to understand the legislation’s definition of what personal data involves. GDPR defines personal data or information that can be used to construct an identity of an individual. This could be photos, email addresses, name, social media posts, social media messages, IP addresses, bank details and medical information.
The personal data only applies to individuals and not companies. In other words, the legislation only covers personal data for individuals and it doesn’t govern data for companies or legal entities. However, information about an individual’s company may constitute personal data in the sense that if the data or information allows for identification of the individual.
Part of this law allows for companies to designate someone in a company who will be solely responsible for collecting and processing personal data and ensure the highest possible form of data privacy. The personnel have to be qualified and certified to be in-charge of personal data.
The key areas that GDPR focuses mostly include consent, security breaches, individuals’ access to information and transparency on privacy policies but not limited to these areas. In this sense, companies have the responsibility to explicitly request for permission from individuals from time to time. The law is heavy on consent; therefore companies need to make sure individual’s personal data is not used or processed in any way without their permission. On top of that, companies are required to get rid of the normally lengthy, convoluted and confusing “legal mumbo-jumbo” they usually present to individuals. The legal aspects on terms and conditions and privacy policies need to be as simple as possible and easy to understand, with no room for ambiguity or uncertainty.
The other area that GDPR focuses on is during security breaches. Under GDPR, companies must inform their customers or users as soon as possible of any knowledge of a security breach. This is because most companies fail to notify their customers on time on security breaches so as to protect their reputation and brand. Most companies tend to keep information on security breaches internally until it spiral out of their control thus risking sensitive personal data to hackers. Under GDPR’s new regulations, companies are expected to notify their customers or users within 72 hours of a security breach. This allows individuals to protect themselves from further damages that may occur as a result of such security breaches.
In terms of data privacy transparency, the new legislations provide most significant changes requiring companies to stop all the ‘behind-the-scenes’ sharing of individual’s personal data. Under GDPR, companies need to be transparent to users or individuals on how they collected their data, and explicitly inform them of the reasons why they need it and their intentions. This means that the personal data collected and collected should be relevant according to the purpose for which they are to be used. Furthermore, the collection of the personal data should be within the confines of the law.
What does this mean for my business?
In essence, this means that you need to implement extra steps to get consent from potential customers, current customers and every visitor to your website, online store (for ecommerce stores), and landing pages. Generally, GDPR is heavy on consent from customers and transparency on your side as a business on why you’re collecting their personal data and your intentions in terms on how you will process their personal data. Keep in mind, GDPR is consumer-centric, so you’d have to put yourself in their shoes if you found out someone collected your personal data without your consent and without a transparent reason as to why they did so, including how they would use your personal data.
It is important to be fully aware of the GDPR legislation and its implications. You should have GDPR-compliant landing pages, GDPR-compliant email campaigns, online stores and websites that spell out explicitly in terms of seeking consent for individuals, why you’re collecting their data, the purpose for collecting their personal data and how you intend to process their personal data. It is vital you understand the GDPR fine print especially if you plan to sell goods and services or if you’re already selling goods and services to anyone living in EU.