Preparing for Success with the General Data Protection Regulation
In an era of far-reaching, user data breaches from banking to social networks, the European Union (EU) is set to initiate its April 2016-approved legislation known as the General Data Protection Regulation, or GDPR.
This is a bold move in the right direction for consumers whose information is spread far and wide on the internet, whether it’s logging into apps on smartphones or providing personal data to companies for products and services. However, it has an equally important but potentially dangerous impact on business and commerce in the United States.
What is GDPR?
Simply put, GDPR will give control to consumers and users to manage and own the data collected by companies. It also puts restrictions on the export of consumer data and allows users the access to delete or cease sharing information.
It also covers other urgent consumer-first protections including:
- Data breaches. Under GDPR, companies have to alert users and/or the public within 72 hours of a data breach.
- Underage users. Users under age 16 require parental or guardian approval before sharing information.
- Easy-to-understand consent. Consent given by users must be agreed to with plain language, easy-to-understand policies. Likewise, there must be an efficient way for users to reverse consent at their choosing, if needed.
- Right to user data. GDPR also ensures users have the right to request access to their data to understand how and where it’s being used by organizations.
- Stronger system protection. New regulations also require that more solid, protective systems be put in place for users first, rather than organization- or profit-first.
It also means companies have to be honest about data breaches when they happen. Under GDPR, companies have 72 hours to alert the public if a breach occurs. Users under the age of 16 are also protected, requiring approval from a parent or guardian before sharing information.
The first iteration of this policy was put in place in 1995 as the Data Protection Directive, which helped collate online rules and regulations of data use across the EU’s 28 nations.
Data breaches, particularly high-profile breaches like the Equifax breach in 2017 or the recent Facebook and Cambridge Analytica data sharing, have made users weary of sharing information online. According to a recent RSA Privacy & Security report, 40 percent of respondents admitted to using false information when engaging with a company for products or services.
To further help protect users, the GDPR is putting more emphasis on ownership of data and particularly, consent that users give for companies to access their information and data.
According to CNBC, these new regulations mean that companies can’t “bundle consent together” into confusing jargon that allows loopholes for organizations to abuse user data.
Are there penalties for GDPR?
Businesses that don’t comply, or refuse to comply, can face major financial penalties that could cripple investments and profits. Specifically, failure to comply can result in a fine up to 4 percent of annual global turnover or 20 million euros ($24.6 million), whichever is bigger.
Companies have images to uphold, too. And GDPR ensures that with these strict requirements. Nearly 62 percent of people in the RSA survey said they blame companies before hackers when a data breach occurs. GDPR agrees, which is one of the many foundations of these new, stringent regulations.
How do I know if GDPR applies to me?
Professionals across all industries are, no doubt, asking not only how to comply, but if GDPR applies to their organizations.
Europe, by and large, has had a more strict code of conduct when it comes to the protection of user data, far more than the United States. But GDPR, while protecting EU-citizens specifically, reaches across the pond in every direction.
Companies in the United States, especially multinational businesses, will have to comply to the new regulations if they serve users in the EU. Even happenchance visitors to websites or applications from the EU are protected, which creates an urgent need for organizations to put rules in place now.
Whether you develop a smartphone application or you’re seeking newsletter subscribers, collecting data from any EU audience requires adherence to GDPR.
Can I be exempt from GDPR?
If your organization doesn’t target users in the EU, nor does business with users in the EU, you’ll likely fall out of scope for GDPR.
Users in the EU who happen to find a U.S.-based website meant for U.S. audiences, or not specifically targeted to EU users, won’t be protected with GDPR. However, any targeted marketing efforts for EU visitors, as well as transactions or requests of information from EU users, are who GDPR will be protecting.
A quick review of your Google Analytics can tell you quickly if you have EU visitors engaging with your web properties. A discussion with your organization’s marketing, especially targeted marketing, will help you know how to proceed as well.
Regardless, it’s best to seek legal guidance from your organization’s legal team and I.T. team to ensure the level of care you put forth adhering to GDPR.
Are companies prepared for GDPR?
Technically, organizations around the world have had more than two years to prepare for GDPR. Many organizations and webmaster tools, such as Google, are giving companies and “controllers” (any organization that requests or accesses user data) information and tools for how to comply with GDPR.
In 2017, compliance firm TrustArc and the International Association of Privacy Professionals (IAPP) surveyed more than 500 privacy professionals across various industries and found that 84 percent planned to have GDPR adherence in place by May 2 of this year.
Many organizations have already met or started scheduling meetings with their I.T. and legal teams to make sure privacy policies and other small print legal conditions are aligned with GDPR to keep consumers safe and dodge potentially crippling fines.
How can we prepare for GDPR?
The most important question for companies is how their organizations can personally prepare for GDPR. Not only will your organization want to be prepared, but you’ll want to ensure any third-party applications or functionality in your app or website also adhere to the new regulations.
- Meet with your legal team. If possible, get face-to-face with any legal representatives you have available. Talk about the changes that need to come, and potentially how to communicate those changes internally and externally.
- Bring I.T. into your marketing initiatives. MarTech recommends that it’s wise to integrate your I.T. and marketing teams at the very least, so all understand what’s at stake. You’ll both stay updated on what’s happening on both sides of your worlds: From cyber technology to marketing efforts around the globe, and how they work together.
- Revise your company’s privacy policies. As mentioned, clear, easy-to-understand policies about the use of user data is integral to GDPR. If you’re asking users for information, even to register to join your mailing list, make sure plain language is used to explain how this information is collected and used by your company. And always give users an opt-out or reversal of permission option.
- Understand where data goes and how it’s used. HR and payroll solution company MHR, based in the United Kingdom, recommends data mapping to identify the key information that’s collected and documenting how it moves between departments or the organization as a whole. This will help you understand any potential privacy risks, which could implement protection in advance.
- Use clearly identified options for users to to revert their data, or delete it. Squinting to find a hidden “unsubscribe” button in email footers should be forbidden anyway, but with GDPR, it will be even more important that users can easily revert their permissions for data, or delete it entirely. See an example of this email option:
- Check your own Google Analytics (GA) data. See how much traffic, if any, is coming from the EU and verify if any of your campaigns or marketing is meant to target EU users, as this puts you under the GDPR umbrella.
- Verify (and understand) the privacy policies and terms of third-party vendors. If you use any third party applications or functionality, you’ll want to verify and understand their privacy policies to make sure they’re adhering to GDPR, too, if needed. Under GDPR, if you use third-party applications that aren’t in compliance, then your organization isn’t in compliance, either. Get on the phone and discuss in detail with their respective customer service or teams if it’s unclear from their legal language. If you find third party vendors that aren’t in compliance and failing to adhere to GDPR, consider other avenues for that functionality. Likewise, work only with third-party providers who are GDPR-compliant in the future.
- Expand your team. MarTech recommends hiring a Data Protection Officer (DPO) to help assign liability and adherence to regulations like GDPR. While it may be an investment to find someone who can carry this load for your organization, it’s worth your time. “Consumer information deserves to remain private,” MarTech writes. “So anything you can do to stay in compliance will help you overall.
You’ll want to know what Google’s up to, too. Like many companies, you’re no doubt engaging with Google Analytics or other webmaster tools in the Google shed. And part in response to GDPR, and part in following their stringent Terms of Service, Google is making some important changes.
For example, starting May 25, Google is changing its default for data retention. If you use Google Analytics for tracking user data, you’ll want to check in on the changes as certain data older than the cutoff will be automatically deleted, according to a recent article by Moz. However, author Will Critchlow points out that this change isn’t necessarily a direct response to GDPR, it gives the tools controllers might need, to restrict data storage in the future.
Google is also making deep strides to combat any accounts that are collecting personally identifiable information, or PII, such as full name, address, social security information, and date of birth. It’s important for controllers to audit their GA profiles for any PII risks, as well as update your data retention settings, as needed.
So what does this all mean?
The truth is, we’ll likely see the outcomes of GDPR in the coming months and years as organizations are penalized or highlighted in the media for breaking the rules. It’s possible, too, that more of our favorite tools (like Google’s webmaster suite) will adjust as the reach of GDPR becomes better known.
It’s always best to be safe than sorry, so make sure you collaborate with your team — from marketing to I.T. to your own legal counsel — to make sure you’re delivering the safest and most trusting experience to your users.
Erin Schroeder is a senior content strategist and writer at Geonetric, where she helps healthcare brands organize user-first websites, content marketing, and brand messaging. As a former journalist, she never lost her love to write. You'll also see her articles on content strategy and user experience around the web, including UX Collective, UX Booth, and Prototypr.