It's not often that certain laws get a lot of attention, but the General Data Protection Regulation (GDPR) – the massive piece of data protection legislation that will become effective 25 May 2018 – is the notable exception. It may seem like it's a long time before it comes into force, but with so much at stake, it's not too early to start thinking about what the GDPR is and how it will affect your business.
The EU has long been the leading jurisdiction when it comes to data protection and privacy laws, treating privacy as a fundamental human right through a series of legislative protections. But technology has jumped forward in the past few years, creating new business opportunities, all predicated upon the breath-taking growth of data collection and uses. The digital world presupposes borderless economies where data flows without impediment. Online commerce, whether via a laptop or a mobile device, such as a phone or even a watch, is not a thing of the future, but is here right now and is quickly becoming the default channel for consumers to find the goods and services they want. The seller's location is not nearly as important anymore as ease and speed of transaction. The result is the need for an update of the aging body of EU data protection laws, thus the GDPR.
The aim of the GDPR is simple - to put control over personal data back in the hands of the individual. A secondary aim is also worthy of mention, namely to strip away compliance complexity for companies doing business throughout the EU and beyond. With the GDPR, both aims are achieved. The consumer once again has a set of new codified data protection rights empowering her to control her personal data. Some include the right to be forgotten, the right to access her data, the right to restrict processing, the right to data portability and the right to object to profiling, or tracking. Also with the GDPR companies won't have to comply with twenty-eight different Member State data protection laws, some of which are in conflict. Most companies I speak with welcome the GDPR for this reason alone. It's a lot easier to comply with one law than twenty-eight.
Although the aims are noble, implementation of the GDPR will be wrought with confusion and business challenges that are an axiom of life. However, it need not necessarily be so, not if you are aware of the basics. Get those down and you're on the right path forward. So, here they are.
The GDPR applies to any company offering its wares to individuals in the EU or monitoring the digital behaviour of folks in the EU. Save the corner florist, it's a safe bet that the GDPR applies to you. And industries like digital marketing will be especially under the magnifying glass and need to pay special attention to compliance with the GDPR.
The GDPR has a two-tier penalty system that can be imposed by a local data protection authority, which has discretionary powers in deciding how heavy a hammer to drop. The first tier allows for penalties up to €10 million or 2% of your global turnover, whichever is greater. These penalties will be for the lesser transactions around process. The second tier allows for penalties up to €20 million or 4% of your global turnover, whichever is greater, and can be imposed for the more serious transgressions for violations of a person's new individual rights or failure to obtain the right form of consent – it's certainly punitive.
Most aspects of the GDPR require inward facing reflection upon what information you collect, how you use it and if there is a risk to the consumer for what you do. If there is a privacy risk, then you'll need to make sure the right privacy protections are in place. You need to be accountable for what you collect and how you use it.
There is a central outward facing component to the GDPR, which can't be overlooked, namely you need to ensure that you have the individual's valid consent before you collect personal data about her. There is nothing objectionable with that notion. However, the GDPR's consent requirements are quite high and if it's not done right - first by given really clear and transparent notice and deploying an easy to use consent mechanism - then consent may not be valid and you're at risk for the higher tier penalties. For example, the GDPR doesn't prohibit online profiling, or tracking, which drives much of the digital advertising industry and serves as a primary revenue source for many organisations. However, there is an expectation that a company will fully know what tracking is occurring, be able to disclose it, and will be able to honour the consumer's right to object to that profiling.
There's a lot to this thing called the GDPR and if you take nothing else from this article, know that it's not to early to start thinking about what you will need to do to comply with the law. Process review, modification, and solution deployment all take time, money and effort. Don't hit the panic button yet, but it's time to start the conversation.