The European Union’s General Data Protection Regulation (GDPR) has been in effect for just over a year and a half now. In that time, regulators have already imposed more than $126 million in fines for companies that failed to comply with the law, including significant fines for Google, British Airways, and Marriott, and all signs point to continued, and possibly even ramped up regulatory assertiveness.
Data privacy laws are proliferating with increasing regularity – the California Consumer Protection Act and Nevada’s SB 220 both went into effect within the last six months, and Maine’s Act to Protect Privacy of Online Consumer Information will be effective this July. Such legislation will only become more common.
GDPR violators can be fined as much as €20 million or 4% of your business’s annual worldwide turnover of the preceding financial year, so there are real stakes for your company to comply with the law. However, fully understanding the requirements and implementing a system that meets them can be a daunting task, especially if you’re tackling it on your own. We advise making your solution compliant sooner rather than later, given the liability. Further, you can use the changes mandated by GDPR as an opportunity to improve your relationship with your clients and build deeper trust by giving them more control over how their data is used.
Soliant Consulting is not a legal expert, and your business’s legal team should be involved with any discussions related to GDPR compliance. We can, however, work with you to build a system that complies with GDPR and help you flag major areas with which you will need to comply.
Does GDPR Even Apply to Me?
GDPR is fairly broad in terms of the businesses that it regulates. It applies to two broad strata of companies: (a) those that are “established” in the European Union and (b) those that process data of European Union residents.
If your business has a branch in the European Union, seeks to do business with any companies or individuals in the European Union, or processes data related to the offering of goods or services to individuals in the European Union, your system likely needs to be GDPR compliant. Likewise, if your business processes personal data of individuals who are in the EU at the time their data is processed, your system should be GDPR compliant. This means that GDPR applies to companies that are completely outside of the European Union if they are processing the data of EU residents.
Brexit doesn’t provide a loophole, either. GDPR will continue to apply as the United Kingdom as it transitions out of the European Union at the end of 2020. Beyond that, GDPR has been absorbed into UK domestic law, so for all intents and purposes, GDPR will apply to the United Kingdom for the foreseeable future.
What Does GDPR Compliance Mean?
If GDPR applies to your business, it’s worthwhile to know a few of the key objectives of the regulation.
First, providing individuals with greater control over how their personal data is used is the heart of the GDPR. A major part of compliance is shifting from operating on the assumption that you can use customers’ personal data; however, you need to obtain positive, affirmative consent from customers as to how their data is being used. In short, you can no longer rely on prechecked boxes to add customers to your mailing list—the default setting will need to be the most private one going forward.
Second, as a business, you are required to manage the personal data you have actively. This includes implementing privacy and security measures and deleting personal data that your business no longer needs.
Finally, as a business, GDPR requires that you be transparent with about how you are using what data and why you are using it in clear, easy-to-understand language.
The general public in both the European Union and the United States has concerns about lack of transparency in terms of what personal data businesses have about their customers and customers’ lack of agency in controlling how their data is used. GDPR presents businesses with an opportunity to build trust with customers by providing them with information in a transparent and forthright way and collaborating with them over how you should use their data. At Soliant, we place a heavy emphasis on being a trusted advisor, and transparency and collaboration are key parts of that.
What Do I Need to Do Next?
If your business matches the criteria above, it’s worth working to make your systems GDPR compliant. You should consult with your business’s legal team on what exactly compliance means to them, but here are some key considerations:
- Establish the legal basis for collecting personal data. In most cases, it will be that you have obtained that individual’s consent or that your business has a legitimate interest in collecting that personal data. GDPR requirements will vary depending on the legal basis.
- Make sure your business can handle requests from individuals to see their personal data in a format that can be viewed and imported elsewhere.
- Make sure your business can handle requests from individuals to delete their personal data.
- Make sure your business can handle requests from individuals to correct personal data they believe to be wrong.
- Review and update your system’s default privacy settings and make sure they default to the most restricted option.
- If you’re collecting sensitive personal data, such as ethnic origin, religious beliefs, or medical data, this data requires special considerations.
- If the system involves a high risk to individuals’ personal data, your business should conduct a data protection impact assessment.
- If your business seeks to obtain consent from minors, it should come from their parent or guardian.
- If your system uses automatic decision making, make sure your business can handle requests from individuals to opt-out and have the decision reviewed by a human.
- If your system uses any cookies other than strictly necessary cookies, be sure to obtain consent.
- If your business uses vendors to process personal data, you should establish a data processing agreement with them.
- If personal data will be transferred to countries that are outside the EU, make sure those countries have been deemed to have adequate data protection.
- Make sure your business is clear on how to handle data breaches under GDPR.
GDPR represents a paradigm shift in terms of how we think about personal data and who can exercise control over it. Placing more control in the hands of consumers means that as a company, you’ll have the opportunity to develop a relationship with your customers that is based on trust and consent, which can result in them having a better experience.
Feel free to reach out to Soliant if you’d like to make the most of this opportunity with your FileMaker, Salesforce, or open-source software system!