It’s finally here! The General Data Protection Regulation, also known as the GDPR, was officially rolled out on May 25th. Many of us are either blissfully unaware or mistaking it for some sort of new European holiday. But the GDPR is about to change your company in ways you cannot imagine. That’s why we’ve created this post explaining what is essentially a game-changer for business owners. We’ll cover everything from who’s impacted by the GDPR to how it will affect your revenue and customer relationships.
For starters, Fomoco News gets you up to speed on the who, what, where, why and when of this hot-button issue.
The Who…and Why
You don’t need to be an expert to know the GDPR is all about protecting the personal data of European Union (EU) residents. Data that could contain anything from an email address or physical address to medical records or credit card numbers. It’s basically every piece of information that would allow someone to identify you individually. And with it potentially being accessible by anyone through various channels (think: hacking), businesses with leaky data pipelines are in trouble with the new regulations.
Many of you are also probably wondering about how these new regulations will affect your business. The GDPR spells some hard, but necessary changes for businesses that handle the personal information of EU residents. Let’s take a closer look…
First Impact: fines for non-compliance
The new rules mandate massive fines for companies that mishandled personal data, which can reach up to 4% of annual global turnover or €20 million, whichever is greater. That’s equivalent to $27 million or more depending on the size of the company. And it gets even more expensive if the breach of information results in any sort of harm to the affected party.
Second Impact: consent requirements
Business organizations in EU member countries will be required to obtain “explicit consent” before collecting personal data, and to provide individuals with an easy way to opt-out. For instance, asking for people’s dates of birth or phone number when you collect their email address is no longer sufficient under the new regulations. And instead of vague terms like “opt-in,” you’ll be required to clearly define what is personal data along with how it will be used. This includes defining when that information can be transferred outside of your company or group, and when that data can be sold or rented.
Third Impact: data portability
Individuals will now have the right to access their personal data and copies of that data. In other words, people can request to see their information and then take it with them. This provision allows customers who switch from one company to another, or customers who leave your company for a competitor, to retrieve their personal information from you and take it with them. And if you think people won’t use this feature, think again. Those in the EU who purchased a Playstation 3 console found out that Sony had been storing passwords in an insecure fashion – allowing gamers to take their gamertags with them when they switched to a competing brand of console.
Fourth Impact: restriction on automated decisions
The GDPR prohibits applications that make automated decisions based on personal data. For instance, calling an auto insurance company with your date of birth, then asking for rates on that specific date. These are some of the more benign tasks that will now be restricted. And if no human can make a final decision on personal data, you must ensure you have access to them on a regular basis. This does not affect calling up for an annual review of your insurance policy or renewing your license plate – those are already rules under the old regulations.
Fifth Impact: accountability
Businesses will be expected to report security incidents involving personal data promptly. This isn’t just about hackers, but also includes losing a laptop on a train or if an employee is fired for misusing customers’ personal data. Security incidents are on the rise, so the GDPR’s accountability rules are certainly welcome to many consumers.
Fifth Impact: data protection officer requirements One of the most confusing provisions of the GDPR is that businesses must hire a data protection officer (DPO) to oversee compliance. Essentially, you have to have someone within your organization who’s making sure that you’re meeting all of your new obligations under these regulations. To be clear, this requirement does not apply to small businesses with fewer than 250 employees.
These are just a few of the main provisions to keep in mind
There are over 100 individual GDPR principles that you must follow. And don’t think this is just about the EU, because the rules have been interpreted to be global for non-EU companies, so neighboring countries may soon be imposing similar requirements. You can learn more about the GDPR in our post here .
How Will The GDPR Impact Your Business?
You may be wondering how exactly these new regulations will impact your business, and specifically what you need to do in order to comply with them. Let’s take a look…
There are two areas of concern that you’ll want to focus on: transparency and consent .
Transparency is the foundation of the GDPR, and it’s also one of the more straightforward requirements. You’ll be required to update your privacy policy and disclose to individuals how you collect, use, store and secure personal data. And when you do so, you’ll need to include a clear statement with a link to these regulations.
You will also need to have a privacy notice available on your website or in your mobile app so people can easily find it before they sign up for a service or buy a product from your business. Of course, this is only part of the process you’ll also need to inform EU residents in writing that they can object to how their information is collected or used.
