The EU General Data Protection Regulation (GDPR) is being touted as “the most important change in data privacy regulation in 20 years”, and with good reason. The new law is set to reshape the internet by dramatically redefining the way that we look at how data is gathered, stored and shared.
GDPR was approved by the EU Parliament back on 14th April 2016 and is set to come into effect on Friday 25th May 2018. As of that date, any businesses that are non-compliant will be liable to fines. Heavy fines. We're talking millions upon millions of dollars.
The good news is that the aim of the legislation isn't to cause problems for business owners. It's meant to bring privacy laws across the whole of Europe into line under a single piece of legislation, replacing the now-outdated Data Protection Directive 95/46/EC. It's intended to further protect EU citizens from data and privacy breaches and to bring the old legislation – which was drafted in 1995 – up to date with the modern world.
Is it time to panic?
It depends. Is your company compliant? According to Gartner's research, by the end of 2018 over half of all companies affected by GDPR will not be in full compliance. And there's no surprise. After all, companies are often so busy that they're barely keeping up with their existing workloads, and something as seemingly abstract as GDPR compliance can take a lower priority – until it's too late to do anything about it.
The good news is that it's not too late, and there may well be a leniency period in which some companies are slapped on the wrist as long as they can prove that they're already taking action. But make no mistake – simply ignoring the incoming regulation is unacceptable. It's risky at best and a corporate suicide at worst.
One of the biggest issues is lack of understanding. Marketers are leaving it to IT teams and IT teams are leaving it to marketers, meanwhile CMOs, CIOs and CEOs are letting it slip because they're under the illusion that the regulations don't apply to them or their business. There's an incorrect assumption that the legislation only covers businesses with a physical presence in Europe.
Will US businesses escape GDPR?
The short answer to this question is “no”. In fact, one of the biggest impacts that the GDPR will have is that it has an extended jurisdiction. That means that it doesn't just apply to companies in the European Union. It applies to any company that handles the personal data of EU citizens, whether or not the company itself is in the EU.
This means that even if you're based in the US and all of the data is being stored and processed stateside, you'll still need to obey the legislation. It specifically applies when activities relate to “offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU.”
On top of that, US-based businesses that process data of EU citizens will also be required to appoint a representative in the EU. And when it comes to collecting data, companies are required to refrain from legalese and to make any requests for consent to be as clear and as easy to understand as possible. And arguably most importantly of all, it should be as easy for people to revoke their consent as it is for them to give it.
Cookies and the GDPR
The biggest change when it comes to cookies is the fact that website owners will no longer be able to force users to accept cookies in exchange for information. In other words, a website needs to display information to people whether or not a user accepts the cookie agreement. And as before, the agreement needs to be free of legalese and it must be as easy for people to remove consent for cookies as it is for them to grant it. Simply expecting people to clear their cookies within their browser isn't good enough.
Remember that the GDPR is an extensive piece of legislation with plenty of nuances and so it's a good idea to familiarise yourself with the official documentation. There are additional clauses in place that come into play in specific circumstances, such as if there's a data breach. You'll also need to be prepared for requests from consumers who want to know whether you're holding data on them and, if so, where it's being stored and what it's being used for. Companies will be required to provide an electronic copy of this data free of charge to anyone who requests it.
What else is covered?
You probably won't be surprised to learn that the right to be forgotten also plays a major part in the GDPR. As one of the European Union's most well-known regulations when it comes to data and the way that it's handled, the right to be forgotten is designed to allow people to ask for their data to be erased and to no longer be used by either the data controller or other third-parties.
According to the GDPR, this applies when the data is no longer relevant to the purpose that it was provided for or when the data owner withdraws their consent. Data owners are required to compare the rights of the data owner to “the public interest in the availability of the data.”
The new regulations also cover data portability, which is the idea that a consumer should be able to request their personal data and to receive it in a “commonly used and machine readable format” that can be passed on to another provider. While this might cause a headache for brands, it could actually be an important step towards the democratisation of data, allowing people to build interoperable systems.
The final thing you need to know is the concept of “privacy by design”. The idea is that privacy compliance should no longer be an afterthought. It should be included right from the design stage, whether that's by doubling down on database security or whether it's by minimizing the amount of data that's gathered in the first place. Ultimately, brands will be legally required to put their customers' best interests at heart – even if that means they need to rethink their entire approach to data storage and analysis.
What are the penalties?
The penalties for GDPR non-compliance are severe, with companies facing fines of either up to 4% of their annual global turnover or €20 million – whichever is larger. This is the biggest fine and will be levied in only the most serious of cases such as failing to sufficiently gather user consent.
The fines involved follow a tiered model, so the 4% drops down to 2% when companies are failing to keep records to deliver the required notifications if a breach is discovered. This regulation also applies to both the data owners and the data processors, which means that neither party can plead ignorance. It's in all parties' best interests to comply with the law – and in fact, it will rapidly become a sign of a poor quality supplier if they don't double-check that you're GDPR compliant.
Some people like to bury their heads in the sand and to just hope that they don't get caught out. But the difference between GDPR and previous legislation is that it's very clear about what it covers – and the penalties for non-compliance are much more severe than they used to be. Even if there was no other argument for making sure that you're in full compliance, just remember that nobody wants to become an example. And no one wants to pay those massive fines, either.
Are you ready for the change?
Only 28% of websites in the UK will be ready when GDPR comes into effect on May 25, 2018 (according to Sapio Research).
The GDPR can be confusing, but the legislation is in place for consumers' protection. While that may mean a little inconvenience as you realign your approach to the data you gather, it's for the common good. The change is happening – and the penalties for non-compliance are real.
Of course, it's not always easy to do it yourself, which is why many companies hire experts. Here at Zfort Group, we're ahead of the curve with the new regulations and helping our clients and customers to follow in our footsteps.
So if you're not ready for the new GDPR laws and you need a helping hand, get in touch and we'll be happy to bring your company into full compliance!