Alarmist headlines like this about GDPR remind me of the Y2K bug, when people feared those pesky digits missing from early mainframe and minicomputer programs would cause planes to fall out of the sky and power stations to grind to a halt. Alas, we know the Y2K bug was much ado about nothing, except for consultants profiting from fear of the unknown.
Unlike Y2K, the impending General Data Protection Regulation (GDPR) mandate is based on what we do know: In recent history, businesses have had massive data piracy hacks threatening their credibility and survival. As the owner of a marketing-based company I take data privacy and protection very seriously, for real reasons, as should you.
In the U.S., we may not have heard of the term before (since it originated in Europe) and think "Why would such a law affect us?"
Here’s why: Although GDPR is of E.U. origin, it applies to any business offering services or goods to any E.U. resident. As the E.U. market is the largest in the world and almost every global enterprise is doing business in the E.U., this mean this becomes the de facto standard worldwide. And beware: Noncompliance can carry penalties as high as 4 percent of annual global revenues.
The increasing expansion of cloud and mobile computing practices in enterprises make US companies more vulnerable to GDPR, as they are often act in both roles as data processors and data controllers.
Due to their global trade relationships and dependencies, U.S. companies are increasingly required to expand privacy efforts and make them more flexible. U.S. companies operating in the E.U. market that gather personally identifiable information (PII) are subject to GDPR regulations in all of the E.U. countries where they do business. Organizations are not protected from responsibility because they rely on a third-party cloud provider to manage data, which is often also a U.S. company. The first step is to recognize this responsibility and create a strategy to react and comply by May 2018, when GDPR becomes law.
One of the starting points is to appoint a Data Protection Officer (DPO) — a position that will become a legal requirement in E.U. organizations with a central data storage and processing function.
The E.U. General Data Protection Regulation (EU GDPR) provides a singular data protection law for the EU — creating a reference and basis upon which security platforms can be initiated, and preventing the loss of personally identifiable information as a consequence of security breaches. The GDPR will enforce stringent data protection requirements for all organizations that possess or process personally identifiable information, and/or monitor the behavior of E.U. citizens.
GDPR has been created to ensure that data protection laws are up to date with the “internet age” and are responsive to the ever-increasing threat of security breaches and cyber-attacks. The directive is prescriptive and will help to reassure European citizens that their personal data is safe - enhancing their confidence and interaction with online services.
The regulation puts the security of EU citizens at the forefront of all processing activities — including granting individuals new legal rights concerning access and data erasure, and holding organizations accountable for any obligations to which they fail to adhere.
The Role of a Data Protection Officer (DPO) in GDPR
Your DPO can be a staff member or contractor; however, the role must be designated on the basis of professional qualifications and expert knowledge of data protection laws. Here’s what the job demands:
- Inform and advise the data processor and employees who process personal data of their regulation obligations.
- Monitor compliance with these regulations, including the assignment of responsibilities, awareness-raising, and training of staff involved in the processing operations, and related audits.
- Provide advice where requested regarding the data protection impact assessment and monitor its performance.
- Cooperate with the supervisory authority.
- Act as the contact point for the supervisory authority on issues related to the processing of personal data.
Overall the DPO’s job is to be a catalyst towards a change of mindset necessary for successful implementation of GDPR compliance procedures. The whole point of GDPR is moving companies to acknowledge the concept of privacy by design and default. No easy task.
GDPR is the first major change in data laws for nearly 20 years, and it will have a huge impact when it comes into force. For many marketers it's the first time they have had to respond to international legislation and the scope of work this process entails is only just becoming clear. It's up to every partner in their ecosystem to provide the support, guidance and expertise that will ensure they don't fall foul of the heavy penalties reserved for any non-compliant businesses.
And contrary to popular belief, personal data is not just consumer information. It is hard to think of a business today that does not use personal data. Whether you have employee data, customer data or supplier data — if the data relates to an individual, you will be covered by the new data protection laws.
After summer break, we have only six months of intense activity to get in to shape for all these changes. This raises the very real possibility that most organizations will not be compliant in time.
For marketers around the world, here’s a 10-point checklist to kick you off:
- Begin preparations NOW — don’t wait for GDPR to come into force.
- Make sure privacy notices meet the “transparency” challenge.
- Assess the impact ‘opt-in’ would have on your database.
- Test and optimize data collection statements.
- Consider using legitimate interests for some processing.
- Make sure the database can store proof of consent and multiple permissions.
- Review contracts with processors.
- Check whether the type(s) of profiling your organization conducts will need explicit consent.
- Prepare to fulfill the new rights of natural persons.
- Undertake a formal GDPR Impact Assessment.
Rather than fearing the unknown, GDPR provides an opportunity for marketers everywhere to do a real inventory and get their data warehouses in order. The law should motivate marketers to review and update our customer information and determine how to use that data to provide a better and more profitable customer experience, vs. doing the minimum to be compliant.