General Protection Data Regulation (GDPR) is here… Now what?

Image Courtesy: The Business Continuity Institute (BCI) Company No. 03320173

It’s been almost a month since the General Data Protection Regulation (GDPR) was adopted to protect individuals within the European Union (EU) and the European Economic Area (EEA). Many email inboxes were flooded with messages from organizations informing their audiences that their privacy policy was changing. Why? Well, if there is anything we learned from the Cambridge Analytica scandal at Facebook, it’s that in order to gain and keep the trust of consumers, managers, marketers, and IT professionals must evaluate how users’ personal identifiable information is being used and protected. Before we dive into the nitty gritty of what regulations like GDPR imply, let’s discuss how this came to be and who it impacts.

GDPR Defined

According to Kris Lahiri, Chief Security Office on Quora, GDPR standardizes data protection law across the EU and imposes a slurry of new rules on controlling and processing personally identifiable information (PII). In short, GDPR extends the protection of personal data and data protection rights by relinquishing control back to EU residents. These regulations went into effect May 25, 2018. GDPR replaces the 1995 EU Data Protection Directive and supersedes the 1998 UK Data Protection Act. As Lahiri reports, GDPR applies to any organization that uses personal data of an EU resident.

These standards regulate how organizations collect and store personal information, including (but not limited to) how they:

  • Obtain data subjects’ consent
  • Provide notification of how data is used and subjects’ right to withdraw consent at any time
  • Keep data up to date and hold it no longer than necessary
  • Keep data safe and secure
  • Transfer personal data outside the EU and ensure applicable safeguards

Any US organization that has a web presence must comply with GDPR data collection and protection standards. For many organizations that includes these types of information:

  • Names
  • Addresses
  • Social Security numbers
  • Email addresses
  • IP addresses

Why are US-based companies like MailChimp and Evernote updating their privacy policies?

The answer is simple: Globalization. Any organization that is headquartered in the US but provides goods and services abroad, especially the EU, is subject to GDPR compliance. Not complying could come down to huge fines: a 4 percent penalty of global turnover or 20 million euros ($24.4M), whichever is greater. This means bankruptcy for those businesses that fail to go back and review the fine print.

And US companies like Facebook have certainly taken notice. Although Facebook is headquartered in California, a scandal like Cambridge Analytica in the EU could cost them billions, roughly $2.8B or a 7 percent revenue reduction according to recent reports from Goldman Sachs. Thus, although they are headquartered in the US, they must “play nice” for those users and advertisers in the EU. As a company that services users worldwide, Facebook has indicated their plan to make GDPR-style controls available to all users, and they’ve updated their privacy settings across the globe.

MailChimp, another US-based company, has also taken strides to ensure users they have incorporated “GDPR-friendly” forms, making it easy to obtain and record consent required by GDPR. MailChimp errs on the side of caution not only by developing improved contact management functions but also by over-communicating with their audience on how to stay GDPR compliant by sending a multitude of emails, loaded with blogposts and how-to instructions for obtaining the appropriate permissions when dealing with user information of an email audience.

GDPR for small businesses and freelancers

GDPR does not  apply only to large organizations like Facebook and MailChimp, but also to small business owners and freelancers. The rules governing personal data, safety, and privacy apply to everyone, no matter the size of the company accessing consumer data. GDPR grants consumers the right to request the data companies have on them. In turn, a new level of trust is born between businesses and consumers because of the need to abide by GDPR demands. Therefore, small businesses and freelancers can get ahead of the game by adjusting internal processes to align with GDPR regulations and enhancing transparency with their clientele.

If you are a small business owner or freelancer, it is to your benefit to become familiar with GDPR, and also identify ways you can protect the interests, data, and personal information of your customers. Hubspot’s team put together a comprehensive playbook and blogpost that explains in greater depth how to ask the right questions and ensure you build your own GDPR-compliant processes.

Achieving GDPR Compliance

Whether you’re located in the EU or elsewhere, and whether you’re a small business or an enormous enterprise, achieving GDPR compliance should be a top priority for you and your organization to avoid costly penalties and fines. Since the deadline of May 25 has come and gone, the risk increases the longer compliance is put on back burner. In order to become adept with this new playing field, we recommend the following:

  • Understand the law: There are various categories and definitions for storing data. Become familiar with the legislative expectations and applications to your organization.
  • Form a plan: Whether it’s hiring a Data Protection Officer or pulling in the stakeholders of your organization to manage various information systems within your operations, you need to put together a concerted effort to become compliant.
  • Perform a risk assessment: Review existing data policies, procedures, and security measures and how those areas may need new layers of authentication or protection methods.
  • Rinse and repeat: It’s best to go back every so often and review the three steps above to make sure nothing has changed and your organization is abreast of new changes, regulations, and is in a position to avoid a penalty or fine.

Privacy Policies in the Future

Peering into the future, it’s hard to predict how GDPR will continue to impact organizations, especially in the US. But what can be anticipated is that computer information system departments and organizational management teams will have ongoing discussions on how to tighten their privacy policies to meet GPDR compliance. As globalization continues to fuel hyperconnectivity among countries and e-commerce, companies that are proactive and strategically plan for tighter regulation will be the ones that rise to the top as data management practices continue to become more mainstream.