There’s been a lot of chatter surrounding the European Union’s new GDPR law. If you’ve been left wondering what this new law means and if it even applies to your business, we’re here to help shed light on the subject. While technically the GDPR went into effect at the end of May 2018, an estimated 50% of affected US companies weren’t fully compliant by the start date, so there’s still work to be done.
What is GDPR & Who Does It Apply To?
The General Data Protection Regulation (GDPR) is a European Union law that protects Internet users and their data. This new regulation harmonizes data protection laws from around Europe into one, overarching guideline. It’s also now the strictest data privacy law in the world.
If your company collects data about any EU citizens, through regular business or even lead generation, then this law will affect you. The penalties for non-compliance can be steep, with a maximum fine of €20 million or 4% of your global revenue, whichever is larger.
Basic Summary of the Requirements
The GDPR is a lengthy and comprehensive piece of legislation, but the basic components can be broken down into a few main categories. These are all requirements that your company should be able to meet should the occasion arise.
Lawfulness of Processing
This part of the regulation states that in order to process, or handle, anyone’s data, you must have a legal basis to do so. What constitutes as legal basis is broad and can even vary between EU member states, but the biggest qualifiers are: informed consent, performance of contract, and legitimate interest. Let’s break those down.
Performance of contract is when your business needs to process a consumer’s data in order to fulfill a contract with them. This only extends as far as your business transaction though, so don’t try to market to these customers in the middle of fulfilling goods or services. The legitimate interests qualifier is a tricky one. The law says that you have a right to use data to fulfill legitimate business interests, as long as you balance the data privacy rights of your customers while you do so. This will be subject to objections and will be an area where precedent will likely become important as these guidelines start to be tested.
In addition to those main three, other legal bases include: vital interest (life or death situations), necessity to comply with legal obligations, and public interest.
Right to Access
Customers have a right to be informed about how their data is being used. This includes what types of data are being processed, who that data is being shared with, and how long the data will be stored. If the customer or client didn’t provide you with the data originally, you’ll need to be able to tell them where it came from. Additionally, customers may request a copy of their data that they provided or that was gathered by another company. However, this does not include access to any data derived from the original, in-scope data.
Right to Erasure
This is a much talked about principle of GDPR and has also become known as “the right to be forgotten.” The right to be erasure states that if a customer requests that you stop using their data, you need to be able to erase them from your system, with some exceptions. This goes hand in hand with consent, so again, customers should have a method to revoke their consent that is as easy as it was to give. Additionally, you may also need to erase a customer from your system if their data is no longer needed or if you no longer have a lawful basis for using it.
Right to Data Portability
This tenet states that customers have the right to receive a copy of all their data from any company, have it transferred from one enterprise to another, and to be able to store it themselves for their future personal use.
Right to Rectification
This right lets your customers see their data and ensure its accuracy. If the data is inaccurate, they can expect the error to be fixed quickly after the company has been notified of the error. This could be a name misspelling, a wrong email address, or a digit off in a mailing address. The customer also has the right to ask you to temporarily stop using their data until the error is corrected.
Should your company fall victim to a data breach, the GDPR states that companies may need to notify a relevant supervisory authority (like the EU member state’s Data Protection Authority) and customers of any risk within 72 hours of the breach.
Where to Start with GDPR Compliance
The GDPR is an immense piece of legislation and all the ramifications and nuances of it are still being worked through, so it’s still too early to tell how aggressively the law will be enforced and which areas will be the biggest sticking points. Due to the size and uncertainty, we recommend teaming up with legal counsel to perform a thorough audit of your current business practices surrounding consumer data. Take stock of what types of data you collect and how it is gathered and subsequently stored. Could you delete a customer from all systems if needed? How transparent are you about how the data is used? Perhaps even make a document outlining all your current data procedures.
Once you’ve accessed areas in your data policies that need to be addressed, you can start writing new policies and enhancing your technology infrastructure to ensure that all GDPR requirements can be met.
Here at Aptera, we’re studied up and ready to help you implement technical changes to bring your data strategy into compliance including: identifying the scope of compliance across your various systems and programs, deploying transparent data encryption, implementing user cookie and data collection consent interfaces, architecting for the right to be forgotten, and more.