The EU's General Data Protection Regulation (GDPR) is a requirement coming into effect on May 25, 2018.
All organizations that collect or process data on individuals in the EU are required to comply with GDPR, even if you are not based in the EU.
While the fine for breaching GDPR is high (4% of annual global turnover or €20 M), the goal of the regulation is to strengthen and unify data protection for all EU individuals.
The full text of the GDPR is available for you to read, but note that it is lengthy. Read FAQ below.
Familiarize yourself with the rights of the individual in these plain-speak, short videos.
You can gear up your team to get your GDPR journeyman completed. Contact me for a workshop – together we can get this done in short order.
As you know, most countries have established international laws pertaining to the business sector. Just because you do not have a physical office in the EU doesn't mean that you are out of the reach for authorities enforcing the GDPR. For example, the US and EU have existing bi-lateral business enforcement agreements in place. More importantly, the individual countries participating in the EU also have those agreements with the EU. Individual countries may enforce the GDPR on behalf of the European Commission.
The full text of the GDPR is available for you to read, but note that it is lengthy. Essentially the focus of the GDPR is on the following areas:
Chances are that you have already been thinking about many of these ideas and may even have policies and practices in place to address many of them. For example, consider data breach. We already have laws in 48 US states and many countries around the world, that require you to notify users if your systems experience a data breach and their personal information is exposed/lost. GDPR might have tighter controls and requirements than what you are used to. However, if you have been following basic policy practices, meeting GDPR should require an extension of current practices versus the introduction of brand new ones.
It is true that GDPR required an organization to name an individual as a data protection officer (DPO), but the circumstances are very specific. If you collect sensitive personal data (for example: nationality, religion, sexual orientation, etc.) you will need to name a DPO.
Unfortunately, GDPR impacts many parts of the organization and that may not be apparent at first glance. For example, if you employ individuals in the EU, you are likely collecting their personal data and thus have obligations under GDPR. Your human resources team should be involved in the discussion around that data and obligations for gathering consent, collecting, storing, processing, and disposing of employee personal information.
Usually the following functions/departments are involved in adopting practices to confirm to the GDPR:
I cannot tell you if you will or won't be audited for GDPR compliance. Nor can I tell if you will or will not be fined for lack of compliance. However, I can tell you that GDPR is about fundamentally changing how we treat personal data and privacy of users online. So it is about changing mindsets and how we operate, and I personally do not believe that fining broad categories of organizations is the best way to reach that goal.
Think about GDPR as we have been thinking about accessibility. Accessibility is the law in many countries (yes, even the US!) and you could be fined or sued if you have a website, mobile app or another digital channel that is not accessible to users. But the reason most organizations choose to be accessible isn't the fines or lawsuits (although that is a driver for some). Rather, being accessible online is the right thing to do and makes good marketing sense. By isolating a large population of users, including an aging population with disposable income, you are denying a segment of your audience the opportunity to engage with you online and buy products/services.
The same holds true for GDPR. Yes, its a regulation, but it is the right and smart thing to do.
GDPR addresses two types of organizations:
If you support another organization by processing their data that is collected from EU persons, you are considered a processor and GDPR applies to you. Your should become familiar with your obligations under the regulation.
Adopting any new policy and making changes to existing organizational processes is hard, regardless of type. The reality is that everyone has a job to do and trying to comply with a new policy, such as GDPR, is resource-intensive and disruptive to that day-to-day rhythm that has been established.
Some organizations are taking a foundational approach to GDPR, auditing all processes that result in data collection and analyzing them to ensure that consent is properly obtained, data is correctly stored and processed, and that data is discarded when it is no longer required to achieve the goal for which you obtained consent from the user. This process can be intensive, in that it looks at every source of data throughout the organization, including internal systems, email, as well as all areas of digital marketing, communications, product fulfillment, back end office systems, and others. That can be time consuming as well as very costly.
Other organizations are taking a top-down approach by creating new policies and pushing into the organization knowledge to change individual processes in accordance with the GDPR. This can be more practical, but it is time consuming and can miss some areas that are not as evident; for example, that email you send to your marketing partner every year in January with the list of email addresses of users you target for a specific type of webinar. Yes, that one email is still subject to GDPR!
I have been working with organizations in a more collaborative, workshop style manner to determine GDPR gap areas and who in the organization should work to create actions to close them. It is unlikely that this approach will have you up and ready for GDPR by May 25, 2018. However, this approach tends to be more compatible with day-to-day workloads and existing budgets.
Different reports that I have read give the range of non-compliance with the GDPR between 60% and 80% of organizations. So if you are not yet compliant, you are in the majority and contribute to that statistics range. I urge you to consider starting the process and not letting yourself become overwhelmed. This is a fundamental shift in how we will collect, store, process, and discard user data going forward. It will take time to come into compliance, but you can't get there unless you start.
And the definition of starting can be very individual depending on your organization size, industry, type (B2C vs. B2B), etc. Simply creating a policy and coming into awareness of GDPR can be a start. But doing nothing and hoping that the regulation will pass is probably not a good plan.