This is a digital world and a frightening amount of personal information is being shared online. We are talking banking information, contact lists, our IP address, documents and social media feeds. Have we as consumers ever wondered how this data is collected, stored and used? This is why in May 2018 a European privacy regulation called GDPR became mandatory for all businesses dealing with European citizens.

Are all businesses GDPR compliant yet?

Dell and Dimension Research came out with surprising facts from their survey of 800 professionals who are responsible for data protection. It found that 80% of those surveyed have little or no idea of what is involved in the GDPR regulations. In fact, months after it became mandatory, 1 in 4 companies still have to begin work on becoming GDPR compliant. And it is not just smaller businesses but even many tech companies that are trailing in this. It is time to do a fast catch-up since companies are already being penalized under these new regulations.

Many companies beyond Europe, particularly in America as well as Asia are setting up compliance programs. So, whatever be your industry and wherever you may be located, here is a summarization of what GDPR is, how it can impact your business and tips to get compliant.

GDPR and data capture

On May 25, 2018 the new General Data Protection Regulation or GDPR came into effect. It applies to all businesses that sell to citizens in Europe. It also includes all technical processing companies that process information on the seller’s behalf. What GDPR means is that customers have more control over their personal data. This personal data relates to anything about a person such as name, photo, email address, bank details, location details, medical information or their computer IP.

This will have a far reaching impact for businesses when it comes to customer engagement. The old method of an opt-out process or implicit consent can no longer be used. We have seen this already with Facebook. The social media giant has had to switch to an opt-in consent process. Under the eyes of the law, inaction on the part of the user cannot imply that they have given consent to their data being captured.

Businesses must get GDPR compliant

Businesses must get GDPR compliant
Companies will have to review all their business processes and overhaul their sign-up forms. For example if you send a newsletter, you will have to prove that the customer explicitly opted in for it. A blanket acceptance will no longer hold good for all user engagement. Also businesses cannot deny a service to a customer such as making a website inaccessible because they did not accept capture of their personal details.

Under the GDPR, individuals have 8 basic rights

  • The right to request access to their personal data and to know how it is being used by a business.
  • The right to be forgotten i.e. the right to withdraw consent at any time and have their information deleted. The responsibility is solely on the business to ensure it is removed from all parties in the chain of custody.
  • The right to transfer their data from one provider to another.
  • The right to be informed before any data is collected.
  • The right to know the data that is collected as well as to be able to update this information at any time.
  • Individuals also have the right to restrict their data from being shared.
  • They have the right to stop the data from being used for any direct marketing activity.
  • And most important of all. If their data is breached, they must be informed within 72 hours of the company becoming aware of it. This makes it vital for businesses to implement security checks at every level and implement a notification system as we

Penalties for GDPR violations

The General Data Protection Regulation Bill intends to build trust between consumers and businesses handling their personal data. Any violation can attract hefty penalties both on the data controllers as well as the data processors. For serious violations fines can go up to 20 million euros or 4% of global turnover, whichever is higher. The amount of penalty varies based on factors such as if measures are already taken to be GDPR compliant, the severity of the data breach, the mechanism in place to prevent data breach etc.

That the EU is coming down heavily on business that are in violation is evident from the $57 million fine on Google and complaints against Apple, Facebook, Amazon and others. Google has been penalized for failing to get proper consent from users before pushing targeted ads at them. They have also been pulled up for pre-ticking authorization fields for privacy policy when users create a new account. This ruling shows that companies that profit from user data must be more upfront on how they will use this data.