With one year to go, what should business be doing to ensure it's compliant with the new Regulation?
In almost exactly 12 months’ time a radical new piece of legislation will be enacted across the European Union.
The General Data Protection Regulation (GDPR) is set to revolutionise how each of the 500m consumers in the EU manage their data across every conceivable walk of life, from their Facebook page to their doctor’s notes.
And if you’re reading this from outside the EU or are in the UK thinking that with the inevitable slide to Brexit you and your business will be exempt, think again. There is little doubt the new law will also apply to you.
The GDPR comes into effect on 25th May 2018, and many are still waiting for the European Commission to issue practical advice that will help achieve compliance, but in the interim there are some things we definitively know and some steps that businesses can take to start them on the road to compliance.
- Be aware: If the opening to this post has left you baffled by what the GDPR even is, then step one has to be to get up to speed as soon as possible. A January survey of 2,000 IT professionals in the UK found 53% of them had no awareness of the GDPR. In some respects this isn’t entirely their fault. Even those who have been involved in the machinations of the legislation for years are still waiting for clarification on many of the critical elements of the GDPR. There are plenty of resources out there but beware any company touting their legal services who claim to have all the answers: they don’t, not at the moment anyway. (See below for further information).
- Appointing a Data Protection Officer (DPO). Carrying on from point one, companies should appoint responsibility to a single point of contact whose job it is to be the GDPR oracle. At first this seemed to be a requirement limited to larger companies, but now that seems to have broadened to cover any company, however, inevitably larger organisations will be more likely to fall foul of any breach or find themselves open to scrutiny. The DPO must act impartially and work independently from your business, which could lead to this role being outsourced by many companies.
- Seek out advice from your local Data Protection Agency (DPA). Each member state has a local DPA and it is the responsibility of these bodies to ensure they’re offering guidance and help to companies on their road to compliance. GDPR advice is that because of the universal nature of the Regulation's implementation across the EU, being compliant with one should cover all bases across Europe. Full list of local DPAs is here.
- Understand what the GDPR covers. The GDPR isn’t limited to the use of personal data in digital advertising, but as you’re reading this we will assume that’s the bit you’re most interested in. Therefore it’s imperative you grasp the scope of the GDPR. It applies to all personal data and your interpretation of what constitutes personal data may not be the same as the EU’s. Cookies and IPs could very easily sit alongside your race or sexuality as personally identifiable information.
- Learn what pseudonymised data is. The GDPR is designed to encourage business to rethink how consumers’ personal data is used, stored, moved around and deleted. One concept that has been introduced to minimise risk is ‘pseudonymisation’, that is the scrambling or separating out of data so that if someone was to look at it they wouldn’t be able to attach a person to a set of data. For example Awin hashes cross-device data so while we can use it to understand consumer journeys better in our multi-device age, we cannot determine who those consumers are in the journey. The concept of ‘privacy by design’ is important here.
- If you have customers in the EU, it doesn’t matter if you’re not based there. The GDPR applies to consumers in the EU, so it’s irrelevant if your business does not process data there or has no legal entity. For those in the UK relishing life outside of the EU then think again; if you offer goods and services to any EU citizens, you have to comply. Same applies to American businesses.
- There are exceptions. Legitimate interests can be cited as a legal basis to use and store personal data, but it’s likely the confines of these interests will be narrow. The GDPR spells these out. One of the most eagerly awaited pieces of practical advice marketers are waiting for is what constitutes consent to use personal data. This guidance should be released in June.
- Increased obligations. The GDPR applies to both data controllers and processors. In other words companies that act on behalf of a controller (for example a cloud based storage business) will also need to get their houses in order. This will extend the scope of the Regulation to a large number of additional companies and under the GDPR they will be designated as one or the other.
- Don’t lose sight of the positives. Consumers have long been wary about how their personal data is used and online has introduced a whole extra dimension that few understand. By raising awareness and putting control in the hands of ordinary consumers, it gives industry a chance to rethink how permissions are sought and how data can be potentially traded in the future. This offers forward thinking and progressive companies the chance to potentially shape a whole new way of engaging with future customers.
- You can’t just ignore it. Whether you think it’s the best idea ever to come out of the EU or the scariest threat to our digital economies, the GDPR is unavoidable. And to hammer home that message, breaches of the GDPR could land organisations with fines of up to €20m or 4% of annual turnover (whichever is greater). This is a significant message to industry.
Before you panic, there is still plenty of time to familiarise yourself with the workings of the GDPR. The Information Commissioner’s Office in the UK has issued some particularly good advice for those starting out.
Alternatively if you want more background, this Wikipedia entry explains more about the working party engaged in rolling out the GDPR.