What is GDPR Compliance and Who Needs It?
Starting May 25, 2018, the European Union (EU) implements the General Data Protection Regulation, GDPR, sweeping legislation aimed at data security. While ethical companies like Spade Design already abide by these rules, not all organizations are aware of the new data protection requirements. Even if your business is located in the United States if it has an online presence, here’s what you need to know.
The Council of the European Union, European Parliament, and the European Commission created the GDPR, General Data Protection Regulation, to protect all citizens inside the EU. Parliament originally approved regulations in April of 2016 and since then organizations had a two year transition period to comply. After May 25 of this year, anyone not in compliance will be fined.
The GDPR is a lengthy document with 11 chapters made up of 91 articles. Here are some of the highlights:
- In Articles 17 and 18, individuals receive more control over automatically processed personal information. The “right to portability” creates requirements for simplified data transfer and guarantees the right to erase data in many situations.
- Under Articles 23 and 30, the GDPR requires organizations to use reasonable measures to guard consumer privacy and prevent exposure or data loss.
- Articles 31 and 32 regulate how companies handle data breaches. They set time frames during which organizations must notify authorities and how the affected subjects should be contacted. The GDPR also requires routine risk assessments.
- Article 35 requires companies that process data containing genetic, health, racial, ethnic or religious information to choose a data protection officer to act as a liaison between the company and Supervising Authorities. Even if that data is just part of human resource intake, a data protection officer might be required.
- Article 45 compels international companies that gather data from EU citizens to be subject to the same requirements and pay the same fines as companies that are located inside the EU.
- According to Article 79, non-compliance can cost up to four percent of an organization’s overall revenue.
Spade Design already places a high priority on data security both for our offices and for the clients we serve. We only gather data after we receive verifiable, explicit consent, and only use it for the purpose it was given. We counsel our clients to do the same. Our site and the ones we design use HTTPS to send personal and financial data over an encrypted connection and our new data center is state of the art, surpassing other Tyler hosting companies.
Privacy and data protection are at the core of everything we do. Long before it became a regulation we had systems for testing and evaluating data security. We have also always allowed individuals to withdraw consent at any time, erasing their personal data from our records.
What Type of Data is Covered?
Any business that gathers personal data from EU citizens can be held accountable, under the GDPR, if they collect the following:
- Email contact information
- Social media contact information or activities
- Medical data
- IP address
- Financial information like banking or credit card numbers
Penalties and Enforcement
You pay your taxes because you want to avoid a visit from the IRS. You adhere to the speed limit (more or less, depending on who you are) because you don’t want a police officer to pull you over. One of the most common questions when it comes to GDPR involves who will enforce these new regulations.
The EU has designated Supervising Authorities (SAs) who have the power to investigate infractions and assign penalties. They’re like the policemen or IRS officers for EU data security. They can audit businesses and websites, review security certifications and distribute warnings when they find violations.
If violations are severe or pervasive enough, they can order compliance, set limitations or require you to pay fines. In some cases, they have the power to disrupt the data flow of non-compliant organizations.
Fines depend on the seriousness of the infringement. SAs weigh 10 determining factors to evaluate how many people were affected, whether the breach was intentional if the organization could have prevented it and whether the company had been breached in the past.
Lower level fines are up to two percent of an organization’s global revenue for the previous financial year. Upper-level fines are up to 20 million pounds (currently about 28 million US dollars) or four percent of worldwide revenue.
Related Article: SEO Basics: Why Your Site Needs Ongoing Maintenance
GDPR and Digital Marketing
One of the most important things marketers and businesses who use marketing agencies need to consider about GDPR is how it changes implied consent.
Before GDPR, marketers could email individuals as long as they had the choice of opting out at the point of conversion. In other words, as long as they didn’t uncheck that little box that said, “send me special offers” it was okay to send them email marketing.
Under GDPR, they must explicitly give consent.
It’s also no longer a good idea to automatically add event attendees to email campaigns without first asking their permission.
Some perspectives argue that businesses can continue to use legitimate interest as justification for continued marketing, but I’ll be very direct on this topic. We do not use black-hat SEO tactics, we don’t even use grey-hat SEO tactics, and this strict adherence to the advised ‘rules’ means that we encourage you to play it safe on all consent requests. The best practice is to obtain consent instead of trying to skirt requirements.
On-site forms need fresh scrutiny to ensure compliance.
Marketers and businesses would be wise to check with third-party tools and technology providers to make sure they also are storing data in a way that’s GDPR compliant.
Related Article: 5 Reasons Facebook Shouldn’t Replace Your Website
What if Your Business is Just in the US?
You may speed for years and never get pulled over. You could cheat on your taxes and not get caught. Most people try to avoid doing both because they don’t want to take a chance and because it’s the right thing to do.
Every business with an online presence could potentially be impacted by GDPR because you’re most likely accessible to EU citizens.
One important clarification involves EU citizens who travel. If a citizen of Germany stops by your Texas business and gives you information protected under the GDPR, that doesn’t subject you to a fine. However, if that same citizen sits in their home living room and supplies that information to your Texas website, the data is protected and GDPR does apply.
No financial transaction has to take place. They don’t have to buy your products, the fact that your site stores any of the protected personal data is enough.
Currently, requirements say any time organizations target a region, GDPR requirements apply. If a woman in France finds your apparel website by accident, there’s no requirement for how your site collects her data. However, if you write marketing in French and position it to reach audiences in France, it is considered targeted marketing. If your e-Commerce site accepts an EU country’s currency, you’re subject to regulations.
Again, play it safe and so you’re never at risk.
Related Article: SEO vs Inbound Marketing: Which is the Best for Your Business?
Best GDPR Practices For Any Company
Most people view GDPR enforcement, as a tool that forces “shady” and questionable businesses to do the right thing and provides guidelines to help honest businesses keep data secure. Make sure when you gather data, you specify the following:
- Your business’s identity and contact information
- What data you’re collecting, why you want it and how you will use it
- Whether or not that data will travel across international boundaries
- How long you will store the data
- What users should do if they want to check, correct or erase their data
- The fact that they always have the irrevocable right to withdraw consent
- Notice of the consumer right to lodge a complaint with contact information for doing so
For both compliance and peace of mind, take a look at your systems and note what personal data you gather, where you store it and how it might be at risk.
Update privacy notices and make sure you have procedures for monitoring and preventing security risks.
Related Article: Content Marketing Strategy Guide
Spade Design and GDPR
At Spade Design, we believe in relevant marketing and in treating others the way we want to be treated.
We don’t rely on tricks to gather information, we simply want to be the best at what we do, creating high-quality work, and delivering consistent value (that pays for itself).
We believe the best marketing doesn’t have to be pushy or sneaky.
We prioritize data protection because it’s the right thing to do and because that builds trust, it’s how we’ve always done business. This means we can, and do, work with EU companies. We also provide services for organizations in the United States that serve or sell to EU individuals and businesses.
If you would like to review how Spade Design can help your business, please contact us and we’ll be happy to help.