Compliance Series: Part 2
In 2018, the European Union enacted a new directive to protect its citizens from having their personal information stolen or sold known as GDPR or General Data Protection Regulation. This legislation protects EU citizens, but in reality, it is a global law at this point. Any businesses in the world that mishandle the personal information of an EU citizen, including something as simple as improperly tracking a cookie on your website, could be fined for non-compliance. Those fines are not cheap. A company failing to comply with the regulation could be subject to a 4 percent forfeiture of its annual revenue. In its first year, there were 95,000 complaints from Data Protection Authorities all over the EU. It’s here to stay, so should you care?
Of the 95,000 complaints received, telemarketing, promotional e-mails, and video surveillance were the top culprits. So far, three fines were issued by DPAs for GDPR violations. The largest fine issued was in the sum of €50,000,000 for lack of consent to processing personal data. Compliance is no joke and it can be tricky to implement. 50% of all businesses still have not migrated into the world of GDPR compliance, though they know it could end in litigation. This carries over for American companies that either employ EU citizens or service them. Even though your business is in the states, you can still get fined from across the pond.
The main idea behind GDPR is protecting citizens and consumer rights. Not only are businesses held responsible for storing people’s information, but they are also held accountable if any misuse occurs to that information. If data is hacked, that business is obligated to report it within 72 hours of the breach and give a detailed account of the data that was stolen. In addition, under GDPR, citizens can request to have their information taken out of data storage, and a business must comply.
Currently, social media networks and automated email services are the heaviest hit by GDPR. Facebook has seen a steady decline in European consumers. Also, it has cracked down on how people can use FB ads when targeting certain audiences. Email marketing has seen an increase of opt-outs and tighter spam regulations, changing the marketing game for many companies.
In order to become compliant with GDPR, you will need to first appoint someone as your DPO, or data protection officer. This person will be the point of contact and GDPR expert. They’ll need to be able to handle IT services as well as monitor all the data handling processes in your company. Then, of course, they’ll need to be able to consistently monitor any area that may be impacted by GDPR and ensure they’re within compliance. It is highly recommended that the DPO goes through thorough training on the subject so they know exactly what to look for when it comes to staying compliant.
GDPR is great at protecting citizens, and most professionals believe it’s only a matter of time before the United States adopts similar regulations. It’s always better to be prepared, so perhaps it’s time to look into GDPR compliance.