The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) “is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).” It comes into effect soon - on May 25th, 2018 - and even non-European businesses, or those who aren’t selling into the European market should be aware of it and prepare and consider the impacts. Regardless of being legal in the EU, it is still good practice to follow these recommendations no matter where your business originates or sells into.
Watch the video below to learn considerations you should keep in mind (note the following does not constitute legal advice, and you should consult your own lawyers for what applies to your particular business).
1. Legal Implications (EU & European Local Law)
Key to the GDPR, individuals have the right to:
Access their personal data, correct errors in and erase their personal data, object to the processing of their data, and also export it whenever they want
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- And what will be the effect of this on the individuals concerned?
Also key is addressing the Notification of Breaches: If there is a data breach, the users whom you have access to need to be notified immediately.
2. Governance & ManagementIn terms of governance, organizations will need to:
- Protect personal data using appropriate security,
- Notify authorities of data breaches within 72 hours,
- Obtain appropriate consents before processing data,
- And keep records detailing data processing.
- Provide clear notice of data collection,
- Outline processing purposes and use cases,
- And define data retention and deletion policies.
3. Operations, Policies, & ProceduresAll organizations will need to:
- Train privacy personnel & employees,
- Audit and update data policies,
- And create & manage compliant vendor contracts
It’s also recommended to Employ a Data Protection Officer for larger organizations.
4. IT & Technology Infrastructure
For businesses that have contact forms and email subscription forms on their website, this may mean that:
- To comply with the Right to be forgotten
- A business should give the user the option to ask for the deletion of their data at any point in time - either a user profile or that data which is submitted via a contact form or other form submission.
- To comply with the right to download & change data
- The website should also have a mechanism for users to download or change their data electronically.
5. Alignment Across the Whole Organization
Last of all, you’ll need to ensure that everyone within your business understands how the GDPR works, and what are the procedures and policies at your company so that they are able to follow them accordingly. This includes team members across all departments, including HR, marketing, IT, Finance and otherwise, as it will affect operations for everyone.
Now that you know more about the GDPR and how it can have an impact on your business, please check out other recent blog posts covering useful Inbound Marketing tips.