GDPR Could Cost You More Than a Pretty Penny
Growing up in rural South Africa as a little boy, my grandmother did this horrible thing where she ambushed me with spoonful of castor oil that she’d force down my throat. She did this once a season (spring, summer, autumn and winter& four times a year) to all of her grandchildren.
It happened with no warning. Her ambush was swift – usually just as we finished our dinner or while we were taking a bath… And in a matter of seconds all that was left was the godawful taste lingering in the back of your mouth.
“Don’t complain. It will be good for you. You’ll thank me later.” That’s the only explanation my grandmother gave as she walked away, already pouring the next spoonful, ready for another unsuspecting grandchild.
When I hear anything about GDPR, I taste that castor oil all over again.
GDPR is probably something you’ve heard about in passing and it’s likely that you don’t know too much about it – especially if your business is based outside the European Union (EU).
However, whether you are well informed on the topic or not, the fact is General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and it will very likely affect your business in some way or another.
Now I know that sounds like the big bad wolf is standing at your front door and is about to blow your house down, but that is more or less what will happen if you are not GDPR compliant by 25 May. The clock is ticking fast and you literally don’t have a minute to spare to get started.
And just like getting a spoonful of castor oil forced down your throat, talking about GDPR is not very pleasant either.
However, in this instance, I happily quote my grandmother: “Don’t complain. It will be good for you. You’ll thank me later.”
GDPR in a Nutshell
With GDPR coming into force, data protection rules across all of Europe will see their biggest change in two decades. Since the laws governing how people’s data should be handled were drawn up in the 1990s, a lot has changed. We now create huge amounts of digital information each day, which are captured and harvested on anything from mobile phones to smart watches.
Suffice it to say, the laws overseeing our personal data simply aren’t fit for purpose anymore. Data protection has evolved and is no longer just a set of rules pointing at businesses, but is now more focused on the rights of data subjects – your customers.
Let’s put this in perspective.
Businesses like Amazon, Google, Twitter, and Facebook offer their services for free, as long as people offer their data to them. It’s more or less a business model that every business with an online presence follows. People (potential customers) regularly grant permissions for their personal information to be used for a variety of reasons in exchange for ’free’ services.
The dangers of granting such vast permissions is currently clearly illustrated by the ongoing Cambridge Analytica scandal, where countless Facebook profiles were harvested to influence the 2016 US election. So, as a business, it is important to remember that even though you may think of the data as your “list” and as something that you “own”, the fact is that the data of each individual is on loan to your business until those data subjects tell you that you can no longer use their data.
With GDPR, people are now given more control over how organizations use their data. It also gives organizations more clarity over the legal environment that dictates how they can behave when it comes to the harvesting and using an individual’s data. AND… (this is a big one!)… GDPR will also introduce hefty penalties for organizations that fail to comply with the rules, and for those that suffer data breaches.
While most of the publicity focuses on the deadline of May 25, and the severe penalties for noncompliance, it’s important not to lose sight of the fact that GDPR is continuing and organizations will need to demonstrate ongoing compliance after that date.
Taking the first steps
The main initiative of GDPR is to strengthen and unify data protection for individuals within the EU. However, it also addresses the export of personal data outside the EU, which is why for some businesses, being GDPR compliant may be as simple as fine-tuning existing data protection policies and processes… but for others, it may involve more fundamental changes.
Now, if you are thinking that GDPR only applies to businesses within the EU, then I have some bad news for you, because there are quite a few grey areas when it comes to doing business on a global scale.
For example, GDPR applies to businesses established in the EU (even if the personal data they collect is processed outside the EU), and businesses offering goods or services (free or paid) to customers (data subjects) in the EU. In order to be “offering goods and services” to data subjects in the EU, a company must “envisage” offering goods and services into the EU.
I know… I can taste the castor oil… can you?
GDPR gets very “legal” and “jargonny”… and we certainly don’t have time to do a deep dive here today, which is why I suggest the first thing you need to do is find out where your business stands in terms of offering goods and services in the EU.
5 Factors that indicate a non-EU business does
not envisage operating in the EU:
- Your business offers goods and services in an EU language, but that language is the one in which you operate in their home market, or you don’t offer goods and services in an EU language.
- Your business does not take payment in Sterling, Euro or any other EU currency.
- You do not target EU residents by doing any of the following: advertise on EU websites, run to EU lists (including EU affiliate lists), target EU countries on Google.
- EU subscribers are treated as any other subscriber once they arrive on non-EU business lists (including marketing), and the non-EU business don’t specifically target EU residents on its lists purely because of their location.
- It is evident you are a non-EU businesses and operate as such. Your business is based on home turf and you don’t have offices or staff in the EU. Domain names, email addresses and phone numbers reflect your home market. You “speak” to readers in your home market (they don’t “speak” to EU residents).
If one or more of the factors listed above changes for your business, it is likely that you are (or will be) offering goods or services in the EU. This means that your business is subject to being GDPR compliant.
As I mentioned earlier, non-compliance with GDPR carries the risk of substantial fines (4% of global revenue) and other sanctions (including the requirement to pay compensation to data subjects). And while the fines look disproportionately big, much greater damage can occur through the breach disclosure requirements.
These state that a business in breach of GDPR is obliged to report to the regulator and in most instances to the data subject(s), within 72 hours, any data breaches that affected their data and what data was affected. With social media at everyone’s fingertips, it is likely that data breaches will quickly find their way into the public domain and shared widely.
For that reason, my feeling is that reputational management should be a key motivator for businesses when it comes to implementing GDPR.
Don’t complain. It will be good for you. You’ll thank me later.