by Jennifer Xue
The General Data Protection Regulation (GDPR) has gone into effect on May 25, 2018. It’s a new era of personal data protection and privacy for EU citizens. However, despite its target subjects, businesses around the world should educate themselves on what it entails and how it affects their organizations.
In this article, we’ll discuss what GDPR is, what it protects, and how it affects businesses around the world, including yours.
GDPR was built on the Data Protection Directive of 1995 and the Fair Information Practices, which helped in shaping the US data protection policies. It gives the consumer control back to EU citizens and residents over their own personal data.
In a nutshell, GDPR protects EU customers from both individuals and organizations regardless of the nexus of the data-collecting businesses or organizations in four ways. This being said, even if your company or institution isn’t based in the EU, you still need to comply with it when it comes to dealing with EU customers.
First, EU consumers have the right to demand any data provided to businesses and organizations immediately.
Second, EU consumers connect with organizations that use their data more meaningfully.
Third, businesses and organizations are compelled to use data more carefully, especially when it comes to monetizing.
Fourth, businesses and organizations focus on building trust with consumers while providing the highest level of service in the GDPR requirements.
Considering the penalty for violation can be as high as USD 20 million, it’s recommended that all businesses around the world that might be dealing with EU customers to adopt GDPR measures immediately. Even if your organization doesn’t have any direct relationship with EU customers but, perhaps, sends out e-mail newsletters regularly, you still need to adhere to it.
Below are the 15 essential points on implementing GDPR in your organization.
1. Always store all data on employees, customers, and suppliers very carefully. Make sure to back them up both online and offline in multiple places.
2. Parental consent is required for children under 16 years when using online services.
3. Only keep data when it’s necessary. This means that unused data need to be purged immediately.
– Who is collecting it? It’s your business.
– What information is being obtained? The data subject’s personal information.
– How is it collected? Online via subscription form or other methods.
– Why is it being collected? Describe the reason, such as for servicing or marketing purposes.
– How will it be used? Describe how it will be used, such as to deliver products or send promotional emails.
– Whom will it be shared with? Describe the third parties with whom the data will be shared.
– Is the intended use likely to cause individuals to object or complain? Describe the intention clearly.
– What will be the effect of this on the individuals concerned? Describe the impact of the data subjects.
6. Always be ready to respond when asked for data information within one month and free of charge.
7. Be ready to delete data if asked wholly and immediately.
8. Consumers must opt-in to be included in data storing. It can be in the form of ticking “accept” or double opt-in like when confirming the e-mail subscription.
9. Use a layered opt-in form with two boxes and embedded with statements like this, “Yes, I want to receive the latest marketing tips from ABC Company. Read more about how your information is used.” It should be linked to a page of explanations on how their information will be used.
10. Design the form for people to easily opt-out or unsubscribe. No small prints and no legal jargons are allowed.
11. Train all employees about the new GDPR laws and how it affects their business.
12. If you purchase a list, perform due diligence on it, to ensure that it’s GDPR ready.
13. When selling your organization to another party, make sure to sign the “assignment clause,” which allows the new owner to store and use data for identical purposes.
14. If you want to use the existing data, ask them to opt-in again after May 25, 2018.
15. In the case of breach of the data record, you must comply to local data protection authority, report to them and the owners of data within 72 hours. Failure to do so may result in substantial penalties, as high as USD 20 million.
In conclusion, any business or organization that might encounter EU-based customers should implement GDPR policies to be on the safe side. Get yourself trained and start a GDPR division. It’s a new era for data protection and privacy.
Forbes Indonesia, August 2018