GDPR- General Data Protection Regulation - What is it and How will it affect your business?

*There are so many articles published till date for the upcoming GDPR EU policy regulation. This is an article about GDPR in Plain English- I have tried to simplify it and make it easy to understand.

What is GDPR?

It's a new European policy regulation which is known as General Data Protection Regulation, it will be in effect from 25th May 2018. Click here for the GDPR official Portal. This is the largest overhaul in the last 20 years. After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. Enforcement date: 25 May 2018 - at which time those organizations in non-compliance may face heavy fines. 

Geographies of Implementation

Entire EU and EEA region. Applicable to all companies selling to and storing personal information about citizens in Europe, including companies on other continents. The regulation also applies to Non EU companies that process the personal data of individuals in the EU. In short, the GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU.

Whats the benefit for the Customers?

EU and EEA citizens will now have greater control over their personal data and will be assured that their information is being securely protected across Europe.

So what does the personal data means?

According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address. In this new regulation, there is NO distinction between personal data about individuals in their private, public or work roles – the person is the person

What rights will you (as a customer)have Post GDPR implementation?

1. Right to access Data- You have full rights to ask for your personal data and also how your data is being treated once it is gathered. The company needs to provide a free of cost electronic copy
2. Right to be forgotten- At any point of time, you can decide to withdraw and ask company to delete all your details
3. Right to data portability- Full rights to get your data transfered/migrated from one service provider to another- all this to be happening in a machine readable and easily understood format.
4. Right to be informed- Companies need to clearly inform you before they start with the data gathering process. One should freely give the consent rather than implied, and clear opt in has to be there before any next step regarding the collection happens
5. Right to correct information- Any outdated, incomplete or incorrect data- customers have full rights to get it rectified
6. Right to restrict processing- Your data can still be there with the company, however you can request them not to process your data further
7. Right to object- You, as an individual, have full rights to ask company NOT to process your data for any further Direct Marketing. No exemptions for companies- it should be into effect right after receiving the request from the customers and should be informed right at the beginning.
8. Right to be notified- If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.

Business Implications

As we have seen that GDPR is not only applicable to EU or EEA region, it is also applicable to Non EU companies that process the personal data of EU citizens. So the first thing that all such companies have to do is to appoint a data protection officer or data controller who is in charge of GDPR compliance. Now, it will become more and more difficult for the companies and it will change a lot of things including the policies, opt-in methods (may be they have to look at double opt-in), sales process and everything that has to deal with the collection and processing of the personal data of the customer. They must prove that consent for receiving communication was given . This means that any data held, must have an audit trail that is time stamped and reporting information that details what the contact opted into and how. Purchasing the marketing lists and then doing the marketing around it will become more and more difficult. Companies still need to show the consent information, even if the 3rd party or the vendor was responsible for gathering the data. Also, if you meet someone at the events or industry seminars, you exchange business cards. Usually the sales rep comes back to the office , enters the prospect details into the system mailing list and starts with the marketing activity to follow up and nurture the lead- This will NOT be possible anymore. So companies needs to be very smart to get a way around this. GDPR-proof companies will have a unique selling point

What if a company is not GDPR compliant?

Getting Prepared and next Steps

Follow the 6 step procedure to be GDPR compliant company

Image Source

Thanks for reading!

Sarang