The European Union’s General Data Protection Regulation (GDPR) has been in effect for just over a year and a half. In that time, regulators have already imposed more than $126 million in fines for companies that failed to comply with the law. This includes significant fines for Google, British Airways, and Marriott, and all signs point to continued, and possibly even ramped up, regulatory assertiveness.
Data privacy laws are proliferating with increasing regularity. The California Consumer Protection Act and Nevada’s SB 220 both went into effect within the last six months. Maine’s Act to Protect Privacy of Online Consumer Information will be effective this July. Such legislation will only become more common.
GDPR Violation Consequences
GDPR violators can face fines as high as €20 million or 4% of your business’s annual worldwide turnover of the preceding financial year; there are real stakes for your company to comply with the law. However, fully understanding the requirements and implementing a compliant system can be daunting, especially if tackling it on your own. We advise making your solution compliant sooner rather than later, given the liability. Further, you can use the changes mandated by GDPR as an opportunity to improve your relationship with your clients and build deeper trust by giving them more control over how their data is used.
Soliant Consulting is not a legal expert. Your business’s legal team should be involved with any discussions related to GDPR compliance. We can, however, work with you to build a system that complies with GDPR and help you flag major area with which you will need to comply.
Does GDPR Even Apply to Me?
GDPR is fairly broad in terms of the businesses that it regulates. It applies to two broad strata of companies: (a) those that are “established” in the European Union and (b) those that process data of European Union residents.
If your business has a branch in the European Union, seeks to do business with any companies or individuals in the European Union, or processes data related to the offering of goods or services to individuals in the European Union, your system likely needs to be GDPR compliant. Likewise, if your business processes personal data of individuals in the EU at the time of processing, your system should be GDPR compliant. This means that GDPR applies to companies that are completely outside of the European Union if they are processing EU residents’ data.
Brexit doesn’t provide a loophole, either. GDPR will continue to apply as the United Kingdom as it transitions out of the European Union at the end of 2020. Beyond that, GDPR has been absorbed into UK domestic law; for all intents and purposes, GDPR will apply to the United Kingdom for the foreseeable future.
What Does GDPR Compliance Mean?
If GDPR applies to your business, it’s worthwhile to know a few of the regulation’s key objectives.
First, providing individuals with greater control over use of their personal data is the heart of the GDPR. A major part of compliance is shifting from operating on the assumption that you can use customers’ data; however, you need to obtain positive, affirmative consent from customers on how to use their data. In short, you can no longer rely on prechecked boxes to add customers to your mailing list—the default setting will need to be the most private one going forward.
Second, as a business, you are required to manage the personal data you have actively. This includes implementing privacy and security measures and deleting personal data that your business no longer needs.
Finally, as a business, GDPR requires transparency around how you are using what data and why. You should explain this in clear, easy-to-understand language.
The general public in both the European Union and the United States has concerns about a lack of transparency. They want to know what personal data businesses have on their customers and their control over it. GDPR presents businesses with an opportunity to build trust with customers by providing them with information in a transparent and forthright way and collaborating with them over how you should use their data. At Soliant, we place a heavy emphasis on being a trusted advisor and prioritize transparency and collaboration.
What Do I Need to Do Next?
If your business matches the criteria above, it’s worth working to make your systems GDPR compliant. You should consult with your business’s legal team on defining compliance, but here are some key considerations:
- Establish the legal basis for collecting personal data. In most cases, you will have obtained that individual’s consent, or your business has a legitimate interest in collecting it. GDPR requirements will vary depending on the legal basis.
- Update your business’s Privacy Policy to ensure it contains all the information that GDPR requires.
- Make sure your business can handle requests from individuals to see their data. Then deliver it in a format that can be viewed and imported elsewhere.
- Ensure your business can handle requests from individuals to delete their data.
- Make sure your business can handle requests from individuals to correct data they believe to be wrong.
- Review and update your system’s default privacy settings and make sure they default to the most restricted option.
Other Considerations:
- If you’re collecting sensitive personal data, such as ethnic origin, religious beliefs, or medical data, this data requires special considerations.
- If the system involves a high risk to individuals’ personal data, your business should conduct a data protection impact assessment.
- Consent from minors should come from their parent or guardian.
- If using automatic decision making, ensure your business can handle requests from individuals to opt-out. Have the decision reviewed by a human.
- Obtain consent if your system uses any cookies other than strictly necessary cookies.
- If your business uses vendors to process personal data, establish a data processing agreement with them.
- If personal data may transfer to countries outside the EU, ensure those countries have adequate data protection.
- Make sure your business is clear on how to handle data breaches under GDPR.
Delivering Trust to Customers
GDPR represents a paradigm shift in how we think about personal data and who can exercise control over it. Giving consumers more control comes with the opportunity to develop a relationship with your customers based on trust and consent. This often delivers a better experience overall.
Feel free to reach out to Soliant if you’d like to make the most of this opportunity with your FileMaker, Salesforce, or open-source software system!