Everything You Should Know About GDPR 2018
There’s so much talk about personal data these days.
Not long ago, the Economist declared it “the world’s most valuable resource.”
In another article, the Telegraph described it as “the fuel for the digital economy.”
And you know what… they’re right!
Just think about it, no matter what you do online, send emails, fill out inquiry forms, shop, or even perform a simple web search — you share valuable personal data.
And if you’re wondering about the full scope of personal information companies collect, consider this:
But have you ever wondered what happens with this information? Or how organizations really store, process, and secure it? And finally, are there laws and regulations that can protect us from companies abusing your data?
This issue has come under scrutiny by the European Union’s Parliament. And as a result, a new General Data Protection Regulation — GDPR — will come into effect in EU member states on May 25, 2018.
Now, before you discount GDPR off as irrelevant, let me clarify something. This regulation will affect every company that collects or processes data of EU citizens, regardless of where it’s based.
This means that if you use lead capture forms on your site to generate leads, for example, and customers from EU might sign up, GDPR will be relevant to you.
Similarly, if you simply do business with European customers, and in turn, use their contact information to process invoices and payment, you should become GDPR compliant.
And luckily for you, that’s what I’m going to talk about in this post.
- What GDPR is
- How the new regulation will affect your sales and marketing, and
- Where to start the process of becoming compliant.
Interested? Then let’s get right to it.
(Note, when creating this article, we collaborated with IT Governance, the leading specialist in data protection and GDPR compliance from the UK.)
So, what is GDPR?
According to the official statement on the GDPR site:
“The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.”
But I agree, this rather complicated definition hardly reveals the full implication of the new legislation.
So let’s go over it in more detail.
First, GDPR is a regulation. It defines the roles and processes organizations must implement to ensure that any personal data they possess is secure and processed with a person’s consent.
Also, as a regulation, once GDPR comes into effect on May 25, 2018, it will immediately become law in all EU member states, and every organization will have to adhere to its processes.
The focus of GDPR is to provide EU and EEA citizens with greater control over their data. In short, the regulation aims to improve how organizations collect, protect and secure personal information.
GDPR updates the definition of personal data and makes it more relevant to the times we live in. According to the official statement, personal data relates to:
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
What’s important from a business perspective is that this definition relates to all personal data, whether it pertains to a person’s individual or professional activity.
And so, if you collect any customer information during a B2B sales process, under GDPR, you’re still collecting personal information. As a result, you’ll need to process it in line with the new regulation.
(By the way, don’t worry if this sounds a bit intimidating. We’ll explain the ins and outs of becoming compliant later in this guide.)
GDPR will affect every business that sells to EU customers, regardless of where they are based. Which means that if your business isn’t in the EU, but you do business with European citizens or businesses, you will have to become GDPR compliant.
And finally, businesses that do not adhere to the new regulation, and are found subject to data breach might expect severe fines:
- Up to 4% of annual global turnover, or
- €20 million, whichever is greater.
To put the severity of those new fines into perspective, according to The Register, last year’s personal data breach fines in the UK would have been 79 times higher if applied under the GDPR.
But unfortunately, as it turns out, most businesses remain far from becoming GDPR compliant yet.
Here, let me show you:
GDPR Adoption So Far
According to last year’s survey by Dell, at the time:
- 97 percent of companies didn’t have a plan to be ready for GDPR
- And more than 80% of global respondents knew few details or nothing about GDPR.
And as it turns out, the situation hasn’t improved significantly.
- 53% of executives possess very little knowledge of GDPR and the implications of non-compliance.
- At the same time, a staggering 66% of those companies are fully aware that they process EU citizens personal data (and so, must become GDPR compliant).
Luckily, achieving compliance isn’t as complicated as it might seem.
But before I show you what to do, let’s go over some of the most crucial GDPR elements, and discover how they will impact your business.
The Rights of Individuals Under GDPR
At the heart of GDPR lies a set of rights a person can exercise against organizations processing their personal data. Specifically, individuals have the right to:
Under GDPR, you will be able to request access to your personal data and learn how an organization uses it after they’ve obtained it from you. Also, a company will have to provide you with the copy of your personal data, if requested, and free of charge, at that.
You will have a right to withdraw consent to store and use your personal data and have the information erased.
#3. Data Portability
You will have the right to transfer your data from one service provider to another, and your current provider must comply with this request.
Individuals can also require any errors in personal data to be corrected, and an organization must reply to the request within one month.
#5. To Be Informed
Under GDPR, companies must be transparent about how they gather personal information, and must do it before they collect the data. As part of this, customers must freely give consent for their data to be gathered for a specific purpose.
#6. Restrict Processing
This gives individuals the right to block and suppress processing of their personal data. Under suppressing, an organization can still store personal information but cannot use it in any way.
#7. Stop Processing
Individuals will have the right to object to using and processing their personal data. This includes direct marketing, profiling, processing for scientific or historical research, inclusion in statistical research and much more.
Once a person objects, all his or her data processing must cease immediately.
Why Those Rights Are Important to You
You see, GDPR gives individuals (that category includes your prospects, leads, clients, contractors, employees, etc.) greater control over their data.
They have the power to influence how you gather and process their data:
- They need to give you consent to collect and process it,
- Can request you to stop using it,
- They can amend their details,
- And even request a complete removal of their information from your systems.
On your end, you’re obliged to comply with the new regulation and act on any requests from persons wishing to exercise their rights.
And, you’ll need to act promptly. As McCreanor explained to us:
“Under GDPR, if a person that requests to know what data you hold on them you must acknowledge receipt of the request within 20 days, and all relevant data must be handed over within 30 days, otherwise it is deemed as a breach of the regulation. And the reason for that is simple — this gives the data subject much more control over how their data is being handled.”
So, here’s specifically how GDPR will affect your business.
How GDPR Affects Businesses
First of all, let me stress this again — GDPR will impact every business that sells to EU citizens.
And so, in business terms, if you prospect, outreach or sell to EU customers, and in turn, collect their personal data (as per the new GDPR definition), GDPR will impact you too.
Moreover, if you store EU customers’ data outside of the EU, you’ll be subject to data exporting. As UK’s Information Commissioner’s Office points:
“The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.”
Of course, this doesn’t mean that you can’t store those customers data on your servers.
But you’ll have to seek compliance with relevant aspects of GDPR legislative to do so.
(Note, for that reason, software companies decide to move and store their EU citizen’s data back to the EU. This way, they immediately become compliant with the new regulation.)
But specifically, here are the three areas of your business GDPR will affect.
Customer Data Collecting and Processing
Under GDPR, you’ll have to gain a person’s consent to collect and process their data.
And I admit, at the outset, the above statement may seem intimidating. So let’s discuss it in a context where it affects businesses the most — lead generation.
Currently, when a person signs up to your email list — be it by downloading a lead magnet or simply subscribing to a newsletter — you can assume that they agree to receive communications with you.
And what goes with it, you can presume that you can send them whatever marketing communication you wish.
As a result, at present, your lead capture form can be as simple as this:
Under GDPR, however, you’ll need to get a person’s explicit permission to contact them. You may also need to specify the exact type of communication a person’s going to receive.
And what’s more, you won’t be able to use their personal details for any other purpose.
As Niall McCreanor from IT Governance explains:
“Once consent has been obtained, the data subject may only be contacted in ways and on subjects that they have actually opted for, e.g. a newsletter can’t be sent to a person who has only opted into a special offers mailing list.”
So, for example, you won’t be able to collect emails via an online contest, and then, follow up with all contestants with sales messages (unless they’ve given you consent to do that while signing up).
In other words, once GDPR comes into effect, instead of assuming that a person signing up for a newsletter wishes to be contacted by you, you’ll have to ask them directly for permission to do so.
In our case, we would have to amend the signup form to something like this:
But that’s not all. As McCreanor further explains:
“Organizations will have to be able to prove that a person has given them consent to process their information. Any data you held on an individual will have to be time-stamped, and you’ll need to be able to provide details when that contact has opted in and how.”
How does this affect you, if you’re a non-EU business?
Unfortunately, if EU-citizens sign up to your list, you will have to amend your lead capture forms in line with the above.
Actually, as Niall McCreanor stressed to us:
“Any company that handles the data of any citizen of the EEA, (EU, Iceland, Liechtenstein and Norway) must be compliant with the GDPR. The primary focus of the GDPR is to protect the data of citizens of member states regardless of an organization’s location.”
One of the key GDPR requirements is that an organization should retain a person’s data only for as long as it is necessary.
Unfortunately, the EU isn’t specific on what they understand by the necessary period.
As IT Governance explains, this will be assessed on a case by case basis.
So, for example, hospitals keeping patients records for years most likely wouldn’t go under scrutiny. After all, a person’s medical record might help with future treatment.
However, the situation might be different with a company sending sales emails to customers who have been inactive for 5 years.
For that reason, specialists advise that businesses should seek re-consent to continue using an individual’s personal data.
And although there are no guidelines for seeking re-consent, specialists suggest re-consenting a list every two years.
And there is another twist to this too.
Once GDPR comes into effect, you will have to seek re-consent for every person currently on your list.
“If a person was signed up for a mailing list more than two years ago because they failed to opt out of it, or if the person is receiving information on subjects they have not signed up for, it is best practice for the company to seek permission to maintain contact via email and then to repeat this action every two years thereafter. Otherwise, to comply with the Regulation, this data would have to be destroyed.”
How does this affect you, if you’re a non-EU business?
You will have to seek re-consent from all EU citizens on your list.
Let’s face it, today’s selling has a lot to do with reaching out to potential clients with the intent to start building a business relationship with them.
And although there is nothing inherently wrong with this under GDPR, the new regulation might affect some aspects of your outreach process.
Namely, how you collect prospect’s emails.
For example, if your company regularly purchases prospect lists (which we don’t recommend in the first place), once GDPR launches, you will have to seek consent from all EU individuals whose names are on those lists before you can outreach them.
You will also have to become more conscious about the data you collect. From next year, you will have to prove that any information you collect is necessary for your process, and will be able to justify it.
“Any data that can directly or indirectly identify an individual falls under GDPR protection, the data subject must now be aware of what data is being offered to the data controller and give explicit consent to do so. It is no longer ok for a company to have an “opt-out” function on a website which will have a great impact on how cookie policies are delivered and If a data subject signs up for one service they may not be contacted for anything not related to the services opted into”
Here, let me show you what I mean.
This business asks quite a lot of information on their form, including details about a person’s location.
And sure, this information could be necessary. For example, the company might operate sales agents in different regions, and would use the location to direct an inquiry to a relevant office.
However, in case if the location isn’t relevant to their sales process, under GDPR the company will have to remove those fields from the form.
How does this affect you, if you’re a non-EU business?
At minimum, you will have to be able to justify the data you collect from EU citizens, and prove that you need it for your organization’s processes.
If your organization purchases prospect lists, you will have to seek consent of any EU individuals on them, before you can process their data.
I admit, there’s a lot of overlap in the way GDPR affects sales, marketing, and general business operations.
And we’ve already covered some of those — gaining consent and permission to use the data, re-consenting, etc.
But here are other ways GDPR will affect your marketing activities.
#1. Data Access
As you already know, GDPR gives individuals the right to edit or remove their information from an organization’s data.
What’s more, you need to provide your contacts with access to their data, and the ability to remove further consent to use it.
And I admit, it does sound intimidating and complex to implement.
But in reality, a simple link at the bottom of an email, allowing a person to manage their profile would suffice.
How does this affect you, if you’re a non-EU business?
You will have to give EU citizens an option to access, edit and remove their data.
#2. Website Cookie Policies
Cookies, small files websites add to a person’s browser to “remember” their actions or preferences, already went under EU scrutiny a while ago.
And rightly so.
As the GDPR document states:
“Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
And so, the new regulation amends the existing EU legislation on cookies.
But What Exactly Will Change After GDPR Comes Into Effect?
You already know what regulations you’ll have to adhere to, and how they might affect the technology you use in your business.
But what will be the impact of GDPR on markets and customers?
Of course, we can only speculate at this point. But here is what I predict.
Shift in B2B buyers awareness of how their data is handled
GDPR is all about empowering individuals to have more control over their personal data.
And given the increasing coverage of the new regulation, I suspect this might lead to a greater awareness regarding personal information.
One area I could see GDPR having an immediate effect is lead generation.
Just think about it. The new regulation changes the way businesses collect email addresses. And once it launches, you’ll no longer be able to display a lead form or signup box.
You will have to ask for explicit consent, provide information as to the type of communications a person’s going to receive, and give them access to edit and remove it, if needed.
As a result, customers might become more conscious of how you’ll process their data. This, in turn, could lead to fewer people willing to sign up for lead magnets, newsletters or offers.
Buyers might also prefer to buy from GDPR compliant businesses
GDPR classifies organizations in two categories:
- Data controller — a person or organization who determines the purpose for collecting the data, and
- Data processor — the party that uses the data on behalf of a data controller.
In many cases, a single organization could be both at the same time.
At the same time, a company might be outsourcing processing to a third party, often unknowingly.
But what’s important about this is that, under GDPR, both are directly liable for any personal data breach.
Here, let me explain.
Imagine a business using an online accounting platform. They store client’s information in the system, to generate invoices, create expense reports, etc. And so, the accounting software becomes a processor, storing and using the data.
Now, in case of a data breach at their servers, both companies might find themselves liable.
Similarly, if the accounting system is a non-EU company, then a business using their services to process EU citizen’s data will be exporting personal information. This is another area that GDPR legislates.
For that reason, many software companies set up hosting servers in the EU to store European customers data without exporting.
These, many other changes, will result in organizations demanding vendors to become fully GDPR compliant.
First Steps Towards Compliance
Fact: GDPR is a complex legislation. It encompasses many aspects of collecting, storing, and processing personal data.
But as it turns out, the first steps towards compliance aren’t as complicated. Although, they require some work to amend your current processes.
As Niall McCreanor told us:
“When it comes to compliance the first steps are to be aware of what is actually covered in the regulation, this is the law, and it will be enforced. It is not enough to say you are compliant, you must prove it. So if there is a reported breach within your organisation you can prove what steps you have taken to become compliant”
And here are the first steps you should take to compliance:
Step #1. Document your data sources
Start by identifying every single source of personal data. A hypothetical list could include:
- your signup forms,
- lead capture forms,
- emails customers send with their information,
- trade shows or networking events where you collect business cards,
- employee forms and requests, and much more.
And I admit, there seems to be a problem with this. Because, as I’m sure you’ll agree, there is a significant difference between someone signing up on a website, and handing over a business card or letting you know their email address at a trade show.
In the first instance, you can get a clear consent, as I’ve shown you above. In the other, not so much.
However, as Niall McCreanor from IT Governance confirmed, GDPR also allows for verbal consent, ideally, in the form of answering “yes” to a clear consent request.
In practice, this could mean asking a person at a trade show if they’re OK with you sending them an email after the event or so.
Step #2. Trim your current data
Remember, under GDPR, you should only keep the necessary data, and that you can justify having it.
So, assess what information you hold is useful, and remove the rest.
Step #3. Seek re-consent of existing email lists
Once the new regulation comes into effect, you won’t be able to legally contact subscribers who didn’t give explicit consent for you to do so.
And depending on your lead capture process, you may have to seek the re-consent of your email list.
Step #4. Establish procedures and processes for handling and storing customer data
The first three steps will ensure that whatever data you hold is GDPR compliant.
But you also have to develop processes for handling it past May 2018.
These processes include:
- Accessing personal data by individuals
- Deleting their data
- Proving consent to store the data, etc.
Step #5. Create a data breach response process
A major aspect of GDPR is dealing with data breaches. And in the context of the new regulation, this term encompasses more than someone deliberately stealing data from your organization.
A data breach could also be:
- An employee losing a company laptop with customer personal data on it,
- A person accidentally emailing confidential documentation to a wrong recipient,
- Someone unknowingly installing malware on the company’s computers,
- And many others.
As part of becoming compliant, you should develop a process for dealing with all kinds of data breaches, and detailing steps you’re going to take in case such an event occurs.
As a business, you collect and process a lot of personal data, often unknowingly.
But once GDPR comes into effect, you will have to become more conscious about how you use prospects and customers information.
And hopefully, thanks to this guide, you know what you need to do to become fully GDPR compliant.
Best of luck.