The EU's General Data Protection Regulation (GDPR) is a law that came into effect on May 25, 2018.
All organizations that collect or process data on individuals in the EU are required to comply with GDPR, even if you are not based in the EU.
While the fine for breaching GDPR is high (4% of annual global turnover or €20 M), the goal of the regulation is to strengthen and unify data protection for all individuals in the EU (located there, not necessarily citizens).
The full text of the GDPR is available for you to read, but note that it is lengthy. Read FAQ below.
Familiarize yourself with the rights of the individual in these plain-speak, short videos.
You can gear up your team to get your GDPR journeyman completed. Contact me for a workshop – together we can get this done in short order.
The EU's General Data Protection Regulation (GDPR) is a regulation that came into effect on May 25, 2018. All organizations that collect or process data on individuals in the EU are required to comply with GDPR, even if you are not based in the EU (for example: you are headquartered in USA, Canada, Australia, or Switzerland). While the fine for breaching GDPR is high (4% of annual global turnover or €20 M), the goal of the regulation is to strengthen
and unify data protection for all EU individuals. This is a shift in how we all go about digital marketing, communications, and online data collection.
As you know, most countries have established international laws pertaining to the business sector. Just because you do not have a physical office in the EU doesn't mean that you are out of the reach for authorities enforcing the GDPR. For example, the US and EU have existing bi-lateral business enforcement agreements in place. More importantly, the individual countries participating in the EU also have those agreements with the EU. Individual countries may enforce the GDPR on behalf of the European
Commission.
The full text of the GDPR is available for you to read, but note that it is lengthy. Essentially the focus of the GDPR is on the following areas:
Chances are that you have already been thinking about many of these ideas and may even have policies and practices in place to address many of them. For example, consider data breach. We already have laws in the US (they vary by state) and many countries around the world, that require you to notify users if your systems experience a data breach and their personal information is exposed/lost. GDPR might have tighter controls and requirements than what you are used to. However, if you have been following basic policy practices, meeting GDPR should require an extension of current practices versus the introduction of brand new ones.
It is true that GDPR required an organization to name an individual as a data protection officer (DPO), but the circumstances are very specific. If you collect sensitive personal data (for example: nationality, religion, sexual orientation, etc.) you will need to name a DPO.
Unfortunately, GDPR impacts many parts of the organization and that may not be apparent at first glance. For example, if you employ individuals in the EU, you are likely collecting their personal data and thus have obligations under GDPR. Your human resources team should be involved in the discussion around that data and obligations for gathering consent, collecting, storing, processing, and disposing of employee personal information.
Usually the following functions/departments are involved in adopting practices to confirm to the GDPR:
I cannot tell you if you will or won't be audited for GDPR compliance. Nor can I tell if you will or will not be fined for lack of compliance. However, I can tell you that GDPR is about fundamentally changing how we treat personal data and privacy of users online. And I can tell you that we have seen audits as well as initial fines.
Think about GDPR as we have been thinking about accessibility. Accessibility is the law in many countries (yes, even the US!) and you could be fined or sued if you have a website, mobile app or another digital channel that is not accessible to users. But the reason most organizations choose to be accessible isn't the fines or lawsuits (although that is a driver for some). Rather, being accessible online is the right thing to do and makes good marketing sense. By isolating a large population of users, including an aging population with disposable income, you are denying a segment of your audience the opportunity to engage with you online and buy products/services.
The same holds true for GDPR. Yes, it's a regulation, but it is the right and smart thing to do.
GDPR addresses two types of organizations:
If you support another organization by processing their data that is collected from EU persons, you are considered a processor and GDPR applies to you. You should become familiar with your obligations under the regulation.
Adopting any new policy and making changes to existing organizational processes is hard, regardless of type. The reality is that everyone has a job to do and trying to comply with a new policy, such as GDPR, is resource-intensive and disruptive to that day-to-day rhythm that has been established.
Some organizations have taken a foundational approach to GDPR, auditing all processes that result in data collection and analyzing them to ensure that consent is properly obtained, data is correctly stored and processed, and that data is discarded when it is no longer required to achieve the goal for which you obtained consent from the user. This process can be intensive in that it looks at every source of data throughout the organization, including internal systems, email, as well as all areas of digital marketing, communications, product fulfillment, back end office systems, and others. That can be time consuming as well as very costly.
Other organizations are taking a top-down approach by creating new policies and pushing into the organization knowledge to change individual processes in accordance with the GDPR. This can be more practical, but it is time consuming and can miss some areas that are not as evident; for example, that email you send to your marketing partner every year in January with the list of email addresses of users you target for a specific type of webinar. Yes, that one email is still subject to GDPR!
I have been working with organizations in a more collaborative, workshop style manner to determine GDPR gap areas and who in the organization should work to create actions to close them. This approach tends to be more compatible with day-to-day workloads and existing budgets.
No, you are not the only organization not compliant with GDPR. However, every day more organizations are starting their compliance effort. I urge you to consider starting the process and not letting yourself become overwhelmed. GDPR (and other recent data regulations) are a fundamental shift in how we collect, store, process, and discard user data going forward. It will take time to come into compliance, but you can't get there unless you start.
And the definition of starting can be very individual depending on your organization size, industry, type (B2C vs. B2B), etc. Simply creating a policy and coming into awareness of GDPR can be a start. But doing nothing and hoping that the regulation will pass is probably not a good plan.