Best Practice in The New Era of Data Regulation: GDPR and Your Business

Chances are within the past two months you’ve received emails from companies asking you to “opt-in” rather than “opt-out” of their electronic mailing lists. This widespread drive to seek consent from consumers is not coincidental. It is the consequence of GDPR.  Approved in 2016 but put into force in May of this year, the European Union’s General Data Protection Regulation (GDPR) updates the EU’s previous data regulation legislation, now largely outpaced by the growth of the internet and electronic data exchange. GDPR essentially establishes privacy as a fundamental right for EU citizens. The purpose of GDPR is to give European individuals a legal basis to protect their privacy rights as consumers, but the legislation without a doubt impacts business operations and marketing on a fundamental level.

What is most important for companies to remember is GDPR applies to any company, worldwide, including US companies, who offer goods or services to EU citizens, and in turn handle or process some form of data of European citizens. In their most basic application, these new laws impact US companies who have EU citizens’ email addresses or personal information included in their direct marketing databases.

The personal data meant to be protected under GDPR includes names, addresses, email addresses, and even data that has been pseudonymized (although it depends on the level of encryption).  Personal data can even include location data collected by websites, so it is recommended you talk to your IT department about how to best to maintain compliance with regards to the electronic collection of personal data.

Under GDPR, companies and organizations must have a “lawful basis” in order to process personal data. There are six lawful bases: consent, contract, legal obligation, vital interests, public tasks and legitimate interests. Depending on the company’s organizations or aims, the lawful basis for processing should be established, recorded and included in the privacy policy. If data is no longer necessary or if there is no legitimate purpose to keep it, it should be deleted. For most organizations, consent will be the most likely legal basis for processing personal data. In other words, clients must give their consent in order for you to keep and process their personal data, and they reserve the right to access and erase this data.

Certain aspects of the legislation will only affect larger companies. For instance, public authorities or companies which process certain sensitive types of material must appoint an independent Data Protection Officer (DPO). There are also specific guidelines for organizations with more than 250 employees that require a more systemic approach to data keeping; however, no matter the size of your business, it is important to understand the basic principles of GDPR and to examine your internal methods of data keeping to make sure that they align.

The following are examples of best practice considerations that can serve as a starting point to ensure that your business is ready for the new era of data protection:

Are your vendors complying? This is especially important when you are contractually obligated to share personal data with your vendors. It is worth discussing which methods these organizations are using to store personal data and to make sure that your practices are in alignment.

Which systems do you use to store your information? This relates to internal record keeping as well as online systems such as Constant Contact and MailChimp. Be sure to check that all your software and online databases are compliant. Most have updated their private policies in recent months. Data encryption is becoming increasingly important and should be a consideration going forward.

Is your staff aware of the new legislation? Especially with regards to direct marketing, your organization should ensure that staff are properly trained and especially that all purchased marketing lists were obtained legally and in accordance with the new legislation.

Does your email newsletter have an opt-out function? This has always been important, but now it is the law. With GDPR the focus is now on opting-in rather than opting-out. Sign up forms should be easy to understand and use simple language so that individuals know what they are agreeing to. Anyone can opt out at any time.

If you have been contemplating a revamp of your privacy policy, now is the time. Every company’s website, regardless of the size of the company, should explain to clients and vendors how information is kept, whether it is sold, and to remind individuals that they can opt out of direct marketing at any time. Furthermore, individuals reserve the right to request that their data be shared with them or destroyed/deleted from records. We recommend this checklist to ensure that your company’s direct marketing practices are up to date.

Remember that while companies that do not comply with GDPR can face hefty fines, the motive behind compliance with the new legislation should be in the spirit of moving towards the growing value of consumer privacy, rather than due to fear of financial repercussions. “The fact is that this law [GDPR] is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. It’s true we’ll have the power to impose fines much bigger than the £500,000 limit… It’s also true that companies are fearful of the maximum £17 million or 4 per cent of turnover allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements, or that maximum fines will become the norm,” says Elizabeth Denham, the Information Commissioner for the United Kingdom. “Organizations are unique, and we want to help them understand what it means for them so that, whether they’re a micro-brewery with 20 staff or a tech start-up with 200, they can get it right.”

Time will tell how GDPR is enforced, especially with regards to non-compliance by companies not based in the European Union. Still, every global company should be aware of its internal data processing methods and ensure they comply with the new legislation. It is imperative that every employee who deals with personal data is made aware of new policies and re-trained if necessary. Clients need to be made aware of their rights through explicitly worded privacy policies and opt-in consent forms. GDPR most likely represents the first wave of international legislation protecting individual privacy, and US businesses should set the tone for future American legislation.

Contact Us Today

Have questions or need help? Reach out directly today.

Get In Touch