Your Quick Guide to Complying with General Data Protection Regulation
The EU’s latest update to General Data Protection Regulation (GDPR) compliance goes live May 25th, and for those who do international business, this can lead to a lot of questions: “Do I need to worry about GDPR? What does GDPR entail? What steps do I need to take to be in compliance?”
The good news is there are plenty of resources available to answer these questions, such as the ICO’s GDPR comprehensive and in-depth online checklist.
Who is expected to meet GDPR compliance?
GDPR compliance is required of all businesses who wish to operate in EU member states and serve individuals in the EU, either directly or as a third party. This affects solopreneurs and large corporations alike.
If you think your company shouldn’t be affected by the EU’s laws, consider this: if your company website is available to EU-based visitors and collects information regarding them, then GDPR compliance is relevant to you.
Additionally, if you hire EU-applicants for your company or non-profit organization, GDPR compliance is relevant to how you process their information. You can read more about that here.
What is GDPR compliance?
The update to GDPR compliance focuses on how the personal data of EU members is processed by organizations. The goal is to ensure consent is “freely given, informed, specific and explicit.” In other words, GDPR compliance affects the way your company collects, stores and processes consumer and EU employee information to encourage transparency.
When it comes to consent, there are six key points to consider for GDPR requirements:
- Unbundled: Your consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active Opt-In: Pre-ticked opt-in boxes are now invalid – you’ll want to use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
- Granular: This means you must provide consent separately for different types of processing, as is appropriate (ex. separate communication channels such as email or phone calls).
- Named: Name your organization and any third parties who will be relying on consent – even precisely defined categories of third-party organizations will not be acceptable under the GDPR.
- Documented: You must keep records demonstrating what each individual has consented to, including what they were told as well as when and how they consented.
- Easy to Withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
GDPR also requires that companies issue notifications of data breaches within 72 hours of becoming aware of them.
What’s the penalty of not meeting these rules?
They’re pretty strict: “Fines could be as high as €20 million (currently £17.7 million) or four percent of total worldwide annual turnover, whichever is higher, so being ready to comply is extremely important.”
My company doesn’t currently meet compliance. What should I do?
At Dream Factory, we’re updating all our client forms to meet GDPR guidelines and reviewing our automation settings to ensure they are compliant. To those who want to do the same, we give the following advice:
First, document the personal data that your company holds, where it came from and who it is shared with.
Next, review your privacy guidelines and how you currently process customer data and information. Determine the points where your process is lacking in GDPR compliance and determine ways to improve. This self-assessment guide is a good place to start.
For your existing customers, you can apply a “soft opt-in”. If an individual bought a product or service from you recently and gave you details regarding it, then you should be fine emailing or texting them. In this situation, two things are required:
- The individual must have had a clear opportunity to opt out on messaging when you first received their information.
- All marketing messages sent to this individual must also include a clear chance to opt out.
It’s important to add that soft opt-ins don’t apply to prospective customers or new contacts (such as those from bought-in lists). For more in-depth details on direct marketing, read here.
At Dream Factory, we take GDPR compliance seriously.
If you have any questions or concerns about how GDPR regulations affect your business, please contact us.