GDPR! is finally here.
The term entered with a BANG!
And big players like Google, Facebook, WhatsApp and other social media are already under its claws.
Lately, you must have noticed that almost all the social media platforms have changed or updated their privacy policies.
And you must have received tons of emails regarding the same.
So, what is this GDPR that everyone is panicking about?
Do you need to panic too?
No, you don’t need to panic but you have to start preparing and planning out everything to handle it.
I know! Iknow!
You are already busy with SEO, Social Media Marketing & Email Marketing but for your own safety, this one needs to be added to your “TO DO LIST” right away.
Before knowing how GDPR affected Google and Facebook you first need to know what it is all about.
In this blog, I will guide you through everything you need to know about GDPR like,
- what it is?
- how can it affect you?
- what are its guidelines?
- how can it cause fines?
and much more.
So that you can protect your website and your business from its clutches.
GDPR is especially important if you are running an e-commerce website or any other website which collects and process any personal data from EU residence.
So, let’s begin!
What Is GDPR?
GDPR stands for The General Data Protection Regulation.
On 25th May 2018, it took full effect after approved by European Parliament on 14th April 2016.
GDPR is a European Union law on data protection and privacy for all individuals within the European Union and the European Economic Area. The aim is to give EU citizen control over their personal data and limits how organisations across the world collect and handle these data.
It defines rules on how all the personal data of the European Residence must be handled by the websites/companies.
How Can It Affect You?
While GDPR is European Legislation it has a huge impact on businesses outside the EU including the US as well. It applies to almost all websites or companies who are either operating in the EU or outside EU if they collect or process personal data of EU residents.
GDPR clarifies that it is not lawful for data to be transferred out of EU to answer a third country’s legal requirement. Regardless of where you’re based in the US, Japan or Germany, it is applied to anyone who markets or sell any products or services to EU residence.
This means size and location of your company doesn’t matter if you are dealing with EU customers.
Why GDPR Introduced?
It was introduced because old laws were written before smartphones started collecting a massive amount of sensitive information for the companies like Google and Facebook.
And with the increase of digitalization in every industry the risk of data breach is also increasing.
According to the RSA Data Privacy & Security Report, RSA conducted the survey on 7,500 consumers in France, Germany, Italy, the UK and the U.S. and this is what they find out:
- 80% of consumers lost their banking and financial data.
- 76% of consumer lost security information (e.g., passwords) and identity information (e.g., passports or driving license).
- 51% of consumer concerned with personal information being used for blackmail.
“As businesses continue their digital transformations, making greater use of digital assets, services, and big data, they must also be accountable for monitoring and protecting that data on a daily basis,” concludes the report.
Factors That EU Law – GDPR Covers:
88 pages and 55000 words long General Data Protection Regulation contain 99 articles and 173 recitals.
Let us take a look at some of the factors that can make you GDPR compliant and can be crucial for your business.
1. Clear Consent:
Articles – 7 & 8
As per General Data Protection Regulation, organisations cannot use data without clear consent.
This means before collecting any kind of data company must get proper permission from their customers. The company should also give users more clarity over what kind of data is being used and what they will do with it.
The purpose of collecting data should be clear to the user from the beginning and must be used for that purpose only.
GDPR gives companies the proper guidelines of what they can and can’t do with personal data. It also limits how data is collected, used and shared.
You as an organisation has to be very clear on what personal data you are collecting from the user.
The Law considered following under Personal data:
- Email Address
- Social Media Data
- IP Address
- Bank Detail
- Medical Information
- Political Opinion
- Religious or Philosophical Beliefs
- Sexual Orientation
- Racial or Ethnic Origin
- Biometric Data
2. Only Collect Data That You Need:
As the heading says for itself you are not allowed to collect any other information regarding customer which is not related to you or your business.
Don’t even ask your customers questions which are irrelevant to your products or services.
Don’t collect information which you are not going to use and if you are going to use it then be very clear about what you are going to use it for.
- You can collect address if you want to deliver a product or a giveaway item to the customer.
- You can ask for his phone number for customer verification and to prevent any spam or scam.
Some e-commerce company collects IP address also to verify the given local address by the customer to avoid fraud which is acceptable by General Data Protection Regulation (GDPR).
But everything needs to be mentioned in your terms and condition.
3. Data Access By Customer:
Articles – 15 & 16
The company should allow customers to access their content anytime they want for any modification and rectification.
The customer should be able to know what personal data is being processed by the company.
Also, the customer should be able to transfer his/her personal data to themselves anytime they want in the popular file format such as pdf.
4. The Right to be Forgotten/Erasure:
Article – 17
As per GDPR, the company have to give their customers the right to erase or delete their personal data from your site on their demand.
This is very important as it is visible in the overall legislation. However, the Right to be forgotten is not absolute under certain conditions.
This means with valid reasons you can retain customer’s data.
5. Email Marketing:
“Silence, pre-ticked boxes or inactivity should not constitute consent.
The General Data Protection Regulation (GDPR) also impacts your email marketing strategies. It tells how customers emails should be collected, stored and used.
- Customers should have right to choose whether they want to subscribe to any Newsletter or not.
- Customers should be allowed to unsubscribe from email marketing messages easily anytime they want.
- Email consent must be freely given, it should not be included with other terms and conditions.
- Don’t ask any other unnecessary information beyond an email address without a valid reason.
6. Protection of Data:
You as an e-commerce company or any other websites who collect information are responsible for handling customer’s data securely.
All necessary measures should be taken by the company in order to protect customer’s information from the very first step.
Customer data should not be transferred to any third party and safety should not be compromised.
7. Data Protection Officer:
Articles – 37, 38 & 39
As per these articles, If you are a public company or process large amounts of personal information, then you must appoint a “Data Protection Officer”. Not required for small businesses.
The tasks of a data protection officer are as follow:
- He should monitor and advise the controller and the employees who carry out data processing.
- He should assign responsibilities and provide training to staff involved in data processing operations.
- Conduct audits on regular basis.
- Cooperate with the supervisory authority or higher management.
- Act as a contact point for the supervisory authority in case of any issues relating to processing or data breach.
- Help customers regarding all issues related to the processing of their personal data and to the exercise of their rights under this Regulation.
8. Breach Notification:
Articles – 33 & 34
According to GDPR, in case of data breach, the data controller must inform supervisory authorities within 72 hours unless the breach is considered harmless and poses no risk to individual data.
However, if a breach is high-risk, then the company must also inform individuals whose data got affected right away without any delay.
Article – 83
The General Data Protection Regulation mentioned two types of fines that can be imposed on the organisation not following GDPR regulation:
- Fine up to 2% of annual global turnover or up to €10 million, whichever is greater.
- Fine up to 4% of annual global turnover or up to €20 million, whichever is greater.
Although these fines can vary based on different reasons.
How it Affected Google and Facebook?
Within hours of General Data Protection Regulation (GDPR) taking effect on 25th March 2018, noyb.eu (a newly founded Austria-based privacy-advocacy group) filed four complaints about “forced consent” against Google, Instagram, WhatsApp and Facebook.
“It’s simple: Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say ‘yes’ or ‘no’.” says Max Schrems (noyb.eu).
These complaints could carry fines of up to €7 billion in total.
Now big companies have started updating their Terms and Conditions to become GDPR compliant.
According to BBC, Google gave a statement saying “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation.”
Their users in the EU will have more detailed and specific terms of service presented to them. Also to use the certain features, teens between the age of 13-15 have to take to provide their parent or guardian approval to Facebook.
They are also making privacy checking easier for users by introducing direct links to check what data the company has and decide whether they want to share it or not.
The Facebook-owned company WhatsApp has also allowed users to download the “limited” information it collects. Users can request for their account information to see what information is being collected by the company. WhatsApp messages are end-to-end encrypted.
They will also allow users download information collected on the app. Instagram hasn’t announced that this move is specifically for The General Data Protection Regulation (GDPR).
The General Data Protection Regulation Do’s and Dont’s:
All this Law talk can be little overwhelmed.
So, let me break down all that we have learned in simple points.
- A copy of personal data shall be provided to the customer free of charge when asked for.
- Give users right to erase or delete his/her personal data. Retain only when having valid reasons.
- If necessary hire a Data Protection Officer.
- Install high-security software to protect data and check data workflow.
- Conduct full data audit on regular basis.
- Do advance planning for handling any data breach situation.
- Maintain proper transparency with the customers.
- Provide unsubscribing option next to subscribing.
- Take permission before collecting data.
- Allow customer to access their data anytime they want.
- Do not hide any email consent with other terms and conditions.
- Don’t take any irrelevant personal information from the customers.
- Do not track customer’s browsing history for SEM purpose.
- Never share customer’s information with any third party.
- Do not hide information regarding data breach.
- Avoid using the pre-ticked box.
- Do not make subscribing mandatory to access the website.
- Do not collect any information from customers without informing them.
After going through this blog you can tell that GDPR is not your enemy and don’t want to cause any harm to websites with good intention.
The only main purpose of introducing the General Data Protection Regulation (GDPR) is to create transparency between the organisation and the EU residence. And you can use it as an opportunity to build trust for your brand by being loyal to them.
So, what is your opinion on GDPR?
Do you find it troublesome or useful?
Let me know your opinion in the comment section.
Rishabh is a Restaurant Manager at PappaRoti in Muscat (Oman). He started his career as an Associate Manager at Domino’s Pizza in New Delhi (India). He completed his graduation in Hospitality & Hotel Administration (B.Sc. HHA) from IHM Meerut. He is also a passionate blogger and founder of Createsyou.com where he writes about various types of marketing strategies and other tactics that the brands and hospitality industry can use and are using.