Like May the 4th is for Star Wars fans, World Cup final day will be for football fans, the 25th of May is a big day for…urm, personal data security fans. That’s all of us, right? So it’s of huge importance as our favourite acronym for the past year has become a reality – the glorious GDPR.
It wasn’t an easy path for businesses, agencies and software companies to comply with the new data protection regulations. Firstly, the amount of information, confusion and lack of preparation in the face of the GDPR deadline was massive.
Secondly, the scoping time to get GDPR implemented was always tight, despite knowing about it for years beforehand. For organisations that are GDPR-compliant, the estimated average has been seven months to complete the requirements. For larger companies that weren’t already compliant, this was considerably more.
Most of us probably shared that feeling of having a lot to do in the run up to the 25th May. As users we had to deal with a big amount of (sometimes clear, sometimes not) information and spam, with all the data protection updates on every single site. That’s before we even got to receiving those lovely emails from brands asking our permission to still be contacted by them.
GDPR is here… And now what?
After some nervousness, GDPR is here and no one wants to be the test case that sets the precedent and gets into potential penalties. So, hopefully every organisation has taken a good, hard look at the criteria and assembled a GDPR implementation team already, along with the necessary site changes.
Let’s have a quick reminder of what the major changes are:
- The scope of the law’s application affects all websites of organisations established in the European Union that process personal data. It also affects websites of companies not established in the EU, if its websites receive visits from EU citizens.
- GDPR states that this information can be collected and stored if it’s properly anonymised. It affects all kinds of data that can identify a person, directly or indirectly: names, emails, age, ID, financial information, cookies, physical, psychological, genetic, mental, economic, cultural, social identity and IP address.
- Consent requirements have become stricter and explicit consent will now be necessary for processing users’ data. In addition, the consent may be revoked at any time by the interested party.
- Companies must report security breaches to data protection authorities within a maximum of 72 hours. Companies must also inform the individuals impacted.
- A copy of your personal information must be delivered to you in electronic format when you request it.
- The rules for processing data on anyone under the age of 16 have become much stricter. An organisation may not collect personal data from anyone under 16 and needs to include a requirement to get a legal guardian to consent on their behalf.
- The principle of data minimisation requires that companies retain and process only the data necessary for the purpose for which it is used, as well as limiting access to personal data to those who need it for the fulfilment of their role.
- Sanctions have also increased: under the new regulation, fines can reach up to 4% of the company’s annual turnover.
Okay… so if you’ve completed the hard work to ensure that you were ready for the deadline, can you now relax or do you still need to worry?
Remaining GDPR compliant
The goal of GDPR is to help you determine what personal information you can collect and to put new procedures in place to ensure compliance. Because business environments change fast, you would need to design a continuous improvement plan to address all the necessary requirements of GDPR.
GDPR sets a principle of active responsibility, which implies that companies and organisations assume a proactive role in such compliance. The key is to stay calm, do your homework and take the following steps to make sure you are compliant:
- Before starting to process any personal data, measures must be taken to ensure that this complies with GDPR. Determine what data you will collect and may want to collect in the future.
- Continuously audit compliance with the regulation both within the organisation and by external vendors, to determine how collecting data will align with current processes.
- Identify a process to receive and respond to data subject requests or individual user requests. If you don’t have one, you could consider building an automated tool to manage those requests.
- Make sure your marketing vendors provide you with the technical methods used (tracking pixels or cookies) to capture user data and its purpose.
- You will need to update and inform your website visitors of the information and potential use of data captured as well as obtaining informed consent prior to them entering or interacting with your site.
New marketing vendors
Your vendors will need to provide you with the technical methods used (tracking pixels or cookies) to capture user data, and its purpose. Remarketing ads and content companies can use pixels or cookies to capture personal information, with the aim of remarketing to your audience.
If you agree with a new affiliate agency to track links to your site, normally a cookie will be placed on the users’ browser to track the activity.
Similarly, if you have a new Display Ad partner that provides ad content from a third party ad server, they may place cookies to gather data of visitor activity, for targeting purposes, on your site.
In all the cases above, you will need to update and inform your website visitors of the information and potential use of data captured plus deal with the C-word again. Yep, consent. You will need to obtain informed consent prior to entering/interacting with the site.
Emails opt-in: Another grey area
Have you spammed your subscribers with the opt-in option to renew consent? YES… well, maybe it wasn’t necessary at all!
An article on The Guardian said: “Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. Just make sure that your consent met the GDPR standard and that consents are properly documented”.
Now, if you are unsure if this first consent would not have met the standard under the existing Data Protection Act, you were right to require a fresh consent from your subscribers. Otherwise, you broke the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.
What happens next?
On the one hand, GDPR has affected companies of all shapes and sizes, from big data processors and software firms to marketing agencies, making a radical change when it comes to compliance with data regulation.
At the same time, thanks to GDPR, internet users will be able to ensure all of their data is protected from organisations that used data irresponsibly. It puts users in charge of what information is shared where and how it’s shared, whilst relying on a unified EU member law.
More than ever, organisations need to be precise, explicit and intelligent to ensure they are using customer data to improve their customer experiences; otherwise, they will be blocked.
So, the 25th May has come and personal data is protected more than ever. Companies have worked hard to ensure that they are compliant with regulations. However, the work is far from complete. This is an ongoing requirement and organisations of all sizes must ensure their compliance doesn’t falter.