Our Thinking

GDPR and you: Part 1

The GDPR (General Data Protection Regulation) rules go into effect on May-25th. Do you know whether GDP applies to you or not?

GDPR is all about how businesses worldwide collect, store, and monitor data of all types. Over the last number of years there has been an influx of technologies (Websites, CRMs, Email Marketing, Marketing Automation technologies) used by organizations to collect information about their prospects, clients, members, suppliers etc. It does not matter if you purchased the information or whether the information has been provided by individuals themselves or even if it is just their names and email addresses, if you have data from citizens of the European Union, you need to comply.

Non-compliance can result in fines of up to €20 M or 4% of your global turnover for the last 12 months. As with the Canadian Anti-Spam Law (CASL), Accessibility for Ontarians with Disability (AODA) or any other legislation, it is not just about the negative financial impact that can result but more so about the reputational damage associated with non-compliance.

GDPR is an EU law, but the online world does not respect the geographical boundaries and data protection is a frontline issue.

How do you become GDPR compliant?

In order to be GDPR Compliant, businesses not only need to protect the prospect/client/member etc. data but they also need to provide controls for these stakeholders to monitor and control their information. Here’s a quick summary of the most important articles under the GDPR:

  • Data processed and stored lawfully and transparently i.e. ensuring proper security measures on any touchpoints where the data is collected or shared.
  • Only the necessary information required to complete the task is collected and proper consent mechanisms need to be in place (just like the Canadian Anti-Spam Law, CASL in Canada or the CAN-SPAM act in the US).
  • EU citizens must be given, upon request, all personal data that an organization has collected on them and told how it is being used.
  • If the EU citizens desire, the organizations need to delete the citizen’s personal information.
  • Any breach of data or security must be reported within 72 hours.
  • Regular risk assessments must be conducted to review any risks to the data.
  • Organizations must hire a Data Protection Officer if they manage large amounts of data on EU citizens.

As of May-25th, GDPR is applicable only to the data from the EU, however, it won’t be too long before the US and Canada have their own similar regulations. Also, data protection is not going anywhere and is going to become more and more important. So, even if you are not processing data from EU citizens, you should start preparing.

In our next post, we will cover some tactical recommendations to be GDPR compliant.