As of May 25th, every business that stores or processes data of people living in the European Union needs to be ready to comply with the General Data Protection Regulation, or GDPR. Approved in April 2016, enforcement of this new regulation will begin soon, meaning any company not in GDPR compliance can face considerable fines.
If you’re already complying with the Data Protection Act, or DPA, you’re off to a good start. To help you understand the changes coming, we’ve invited award-winning business lawyer and leading expert on GDPR, Suzanne Dibble, to offer her advice about GDPR compliance.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new law in the European Union that aims to give individuals more rights over their data and to restrict how companies process private information.
Basically, GDPR is raising the standard of protection of data, which requires companies to be transparent and upfront about data usage, provide sufficient security for data, avoid taking more data than necessary and delete unused data.
Here’s what you can do to make sure your company is GDPR compliant.
1. Review GDPR for Your Business
Every company should be aware of the elements of GDPR and assess any changes that impact the business. Update decision makers about the upcoming changes to ensure that everyone is on the same page, especially since some of these changes may affect multiple departments.
For businesses operating in the EU, GDPR applies in totality. If you’re a U.S.-based business, however, GDPR only applies if you’re processing data of people in the EU with the intent of offering them goods and services or monitoring their behavior. This can include email marketing or Facebook advertising to EU customers.
2. Take Data Inventory
Consider the personal data that you collect and store, along with what you do with it and with whom you share it. Your processing activities should to be recorded, and it’s best to have effective policies and procedures in place to protect your business and your customers.
4. Determine Legitimate Interest and Consent
Legitimate interest is when you have an interest in the data that you balance with the rights and interests of the data subjects. The more sensitive the data, the more this interest balances in the favor of the data subjects. This typically applies to a pre-existing relationship between your business and the data subject or customer. For example, your company can send an existing customer marketing emails because there’s an established business relationship, so consent is not necessary.
Consent under GDPR is a higher standard than the previous regulations. Businesses now have to use plain, clear language about what’s being sent to customers. For example, a business can’t say, “Sign up for my lead magnet.” and send marketing emails to the customer. You can ask for newsletter signups, however, and tell customers that signing up may include information about promotions or a free report.
6. Get a Processor Agreement
Data controllers and data processors refer to the owner of the business and owner of the email list. In many small businesses, this is handled by the owner. If your business uses a virtual assistant or team that processes data, however, they should have similar protections as the owner in the form of a processor agreement. This agreement includes anyone who has access to your customers’ data and further protects your business and your customers’ privacy.
7. Assess Risk
Failing to comply with GDPR gives rise to several risks. A customer can complain to a regulatory authority about being spammed by your business, which could lead to an investigation and a hefty fine. A customer can also sue you individually, but the chances of that are low. In either case, the hassle and uncertainty of a customer complaint, the damage to your brand and the potential for a class-action lawsuit are all possible risks of non-compliance.
This comes down to your own risk analysis. Generally, being as transparent and up-front as possible, even if every last detail isn’t in place, will go a long way toward compliance.
8. Prepare for the Future
GDPR may be stressful, but this is where the future of data protection is heading. It’s also good business practice to show respect for your customers’ data and put plans in place to protect their privacy.
Stay informed about the new regulations and take steps to become compliant. Tidy up your business practices and put your focus on privacy and protecting people’s data, which will put you 50% of the way there.
BONUS: Get Your GDPR Compliance Pack
We hope that some of the myths and confusion surrounding the GDPR and what it means for your business are now cleared up. If you still need help bringing your business up to GDPR compliance, we have just what you need. Suzanne Dibble is offering a GDPR Compliance Pack that includes all the necessary documents, as well as videos and notes to help you fill them out and some helpful tips along the way. Get yours here!
If you’re looking for guidance with marketing, sales prospecting or modern entrepreneurship, Mojo Global can help. Contact us today to see what we can do for you and your business!