What Does GDPR Compliance Mean for Your Business?Kenneth Nel
Red tape can be such a bore, we totally agree. However, in this instance, it’s worth sitting up and taking notice. Yes, we’re talking about GDPR compliance and how it affects your business, and we encourage you to scan through this piece and start (or finish) putting ducks in rows.
What is GDPR Compliance?
General Data Protection Regulation (GDPR) is a big hairy directive proposed and implemented by the European Commission to protect the privacy and personal data of individuals within the EU and the EEA. While that sounds pretty benign, this law has some serious teeth, and it’s well worth finding out if your business is affected and how so.
Companies had until the 25th May 2018 to become compliant and were given plenty of time and information leading up to this date to sort out their systems. Following this comes some hefty fines and not just finger-wagging by the authorities.
If your business operates outside of the EU, does that mean that you are exempt from compliance? Most online transactions can be conducted from anywhere, and you have no idea whether your customers are EU residents or not. Therefore, compliance extends to business who have a presence in any EU country, who possess any personal data on an EU resident.
What is the GDPR Protecting Against?
With almost every transaction imaginable available online, personal data and privacy protection have become a big issue. Identity theft, fraud, extortion, and every sort of dark and illegal act is possible once you have enough information on a person. Businesses can no longer throw their hands up after being hacked and having thousands of credit card details leaked to the general public and say, “Oops!”
However, it’s not just the possibility of fraud that consumers are concerned about. An alarming number of individuals falsify some personal information when signing up for online services simply to avoid their details being sold on or to avoid pesky calls from overenthusiastic call centre agents.
What Constitutes “Personal Information”?
Personal Identifiable Information (PII) held by companies includes data which can identify one person from another. It can include:
- Name and address
- Drivers’ license
- Passport or other identity document numbers
- Banking/ financial information
- Social media posts
- Email addresses
- Ethnic information
- Sexual orientation
- Health information
- Web data including an IP address, location or cookie data
- Political opinions
How Does the GDPR Affect Your Business?
The GDPR (and the reasons for it) has been widely publicized and consumers are, for the most part, very well aware of what their personal rights are, and what to expect from a business who is asking for their information, or which holds their details within their database.
The RSA Data Privacy and Security Report highlighted some key concerns for businesses who choose to remain unaware of their responsibilities.
For example, half of the individuals surveyed said that they would choose to shop with a business which clearly shows a responsibility toward their customers by taking seriously the protection of their data. Therefore, as time goes on, people are more likely to vote with their feet and move over to your competitor if you choose the easy way out on this key piece of legislation.
Losing customers, however, is a small issue when we consider the consequences of non-compliance. This means that all businesses (and their third-party vendors or data controllers) need to ensure that their agreements between each other and their customers show clearly how any PII data is stored, viewed and accessed, and by whom.
Individuals need to give explicit consent to your business if you are holding their information for marketing purposes (as opposed to for sending a statement, for example.) A simple route would be to send a mailshot to everyone on your database confirming consent to own and access their details (expect some drop off though – people may use this as a welcome excuse to reduce the influx of emails), or you may want to just remove people for whom you can’t show explicit opt-in consent.
As you can imagine, we have only scratched the surface of the long arm of the GDPR but suffice to say that if you are wondering whether or not you are compliant, then you probably aren’t. And you should be.