The most significant change to privacy protection of the decade came into force in Europe this year. What does it mean for companies? Does it only matter for companies based in Europe? You’ll find the answers to those questions and more today. First, let’s clear up the most significant misconception about GDPR compliance.
The Most Dangerous Misconception About GDPR Compliance
Note: We are sharing our observations based on emerging industry best practice for GDPR compliance. However, this article is not providing legal advice. If needed, consult a qualified legal professional for advice for your specific situation.
At first glance, you might think, “my business is not based in Europe, so this regulation doesn’t affect me.” That’s a mistake. In fact, GDPR compliance is already impacting companies across the world, including many in the United States. There are three reasons why you should take action on GDPR compliance even if you aren’t in Europe.
Your organization has a European division. This is the most obvious situation. If you have an office in Europe, you’ll have European customers and prospects, thus GDPR compliance should be a priority for you.
Your website receives significant traffic from Europe. By nature, websites are accessible globally. This reason requires a judgment call on your part. If you’re currently accepting online orders from customers in Europe, or you intend to do so, GDPR compliance matters to your company.
You want to keep up with emerging privacy expectations. You may find that your company has no interaction with Europe at all. Even in that case, you should still focus on GDPR compliance. Why? GDPR has set a new standard for privacy protection, and many customers outside Europe will soon come to expect similar protections.
GDPR (General Data Protection Regulation) is a European Union regulation that came into effect in May 2018. It has attracted considerable attention from companies around the world. Why? The regulation comes with significant financial penalties for violations: up to €20 million (over $26.5 million), or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. Avoiding those penalties through GDPR compliance is a smart financial move.
The regulation has been in development for several years. Overall, it’s intended to protect the privacy of end users in Europe. For companies, it means some of your current sales and marketing practices and systems may need adjustment. Here are some of the most significant expectations created by the regulation.
Broad personal data definition: You might be used to defining personal information to mean name, address, and phone number. GDPR takes a much broader view. Specifically, see how article 4(1) defines the term: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”
Keeping this broad definition in mind, a “data subject” has specific rights under GDPR. Such individuals can make requests to companies. These requests are informed by the following:
Right of access: An individual may ask for all information your company has on file with him or her. That means records in a marketing automation system, a customer relationship management system, and beyond.
Right to erasure: The days of retaining information on every potential customer are coming to an end. Under GDPR, data controllers must destroy data when “personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.” (Article 17) In addition, this right comes into play when an individual requests data deletion.
Right to data portability: Upon request, data subjects are entitled to receive a copy of all personal information held about them. You must provide this data in a machine-readable format and transferrable to another organization. That means no more locking in customers by keeping their data hostage.
Right to rectification: Data subjects have the right to make corrections to incomplete or incorrect data.
Fully achieving all those requirements is demanding and may be quite expensive. How exactly do you get started if you have a significant GDPR exposure? We we’ll tackle that challenge next.
Focus Your GDPR Compliance Efforts Using a Risk-based Approach
Since GDPR is new, we don’t yet know how the authorities will enforce it. The best approach is to start your compliance efforts now and focus on the most critical areas. The following principles will guide your approach.
Identify EU data subjects: Start by checking if your systems can consistently identify EU data subjects.
Carry out a practice rights exercise: Test whether you can comply with GDPR rights. For example, can you export all of a user’s data in a machine-readable format?
Identify GDPR weaknesses: Based on your practice run, create a list of GDPR weaknesses.
Prioritize gaps by risk: Using the list created above, make decisions about which area to focus on. In most cases, we recommend focusing on applications that contain customer data as their primary purposes (e.g., CRM, marketing automation, customer service, and fulfillment).
What Are the Cybersecurity Implications of GDPR?
To fulfill GDPR expectations, your organization needs strong cybersecurity protection.
Governments and the public have less tolerance for privacy mistakes and hacking incidents with each scandal. How can you tell a customer that you’ve erased all of his or her data if you’ve been hacked and lost that data? The same problem could occur if an ex-employee used access privileges to bring data to a competitor. To reduce the chance of a data breach, you need a systematic way to optimize access governance.
Use Compliance Auditor to improve your access governance across the organization. You can revoke access and delete accounts directly from the solution, an excellent way to reduce risk when employees leave the organization.