Do you know how GDPR compliance affects your business?
Even if your business is not based in Europe, GDPR may still affect you – and not being on top of it could be very costly for your organisation. Non-compliance has led to some companies receiving massive fines from regulatory bodies. For example, last October, the Information Commissioner’s Office (ICO) dished out some hefty fines…
- British Airways was fined 20 million pounds for their failure to protect the personal and financial data of over 400,000 customers.
- Hotel chain Marriott International was fined 18.4 million pounds for failing to protect millions of customer’s personal information secure (following a cyber attack that took over four years to be detected).
Other fines have been handed out for improper cookie handling, sending unsolicited marketing messages (aka spamming), not honouring unsubscribe requests, failure to disclose sharing of data with third parties, or otherwise generally compromising customer data.
Read on to find out more about GDPR compliance Please keep in mind that nothing you read here is a good substitute for legal advice. We recommend consulting with an attorney to understand how the GDPR applies to your specific situation.
What is GDPR Compliance?
The GDPR (the General Data Protection Regulation), is the official regulation in the European Union for data protection and privacy; it was adopted on 25 May 2018. Every company that does business in the European Union (EU) must protect the privacy and personal data of EU citizens under the terms of GDPR. This applies to all transactions or business communications which occur within any EU member state.
It not only carries rules for transactions within the EU, but it also regulates the export of personal data and its processing outside the EU. As such, the GDPR is relevant to small businesses, agencies, companies, marketers, and anyone who deals with the EU on a digital or business basis.
What is Personal Data?
Regarding GDPR compliance, personal data is any piece of information that could identify a living person, either directly or indirectly. Personal data may be collected from a subscriber, customer, client, or any person who has visited a business’s website or social media channel. Personal data could include:
- Email address
- IP address
- Physical address and location data
- Health and medical information, genetics, biometrics
- Religion, race/nationality, sexual orientation, political beliefs
Is Your Business GDPR Compliant?
A few quick definitions before we explain the 7 main tenets of GDPR…
- Processing: to the collection, organisation, recording, storage, or undertaking of any operations with data.
- Controllers: those who decide the means of processing personal data and its purpose.
Businesses are the controllers of personal data, whereas processors collect and process that data on the controller’s behalf. Processors are often, but not always, a third party. This is why it’s important to ensure that your third party software applications are GDPR compliant also.
Seven Main Principles of GDPR – Simplified
- Lawfulness, fairness, and transparency
Firstly data collection must be lawful (ie. it follows the requirements set out by GDPR). You need to be clear with your customers as to what their data is to be used for (transparent), and only to use it for that purpose (fair). If you need to supply their data to third parties, you need to be upfront about this.
- Purpose limitation
This builds on from fairness – data collection must be for “specified, explicit and legitimate purposes”. Meaning you need to be very specific on why you are collecting this data and convey this to your customers.
- Data minimisation
Collect only the data you need – you will need to justify the amount of data you collect so having a detailed data collection policy document will help.
When data becomes old or obsolete, erase it. Try to update data as much as possible – do not store old and outdated customer information.
- Storage limitations
Similarly to data minimisation and accuracy – personal data must be deleted once its purpose has been served. Choose how long your data retention period lasts and remember to add it to your data collection policy document.
- Integrity and confidentiality
Your business is expected to protect the data you collect and process by ensuring appropriate technical and organisational measures. This includes protection against unlawful processing (eg. hackers) or accidental loss/damage.
If you collect the data, you’re responsible for it and its security.
Lawful Basis for Data Processing
GDPR compliance law stipulates the legal basis for personal data processing. Consent must be given expressly by the person (eg. via opt-in to a contact or SMS list). Processing the data must be necessary for carrying out a contract, delivering a service, complying with the law, for the public interest or personal safety, or the performance of certain official tasks.
The Rights of the Individual
According to the GDPR, individuals have the right to be informed that their data is being collected and for what purpose. They are also entitled to know with whom it will be shared and how long it will be kept. Individuals may also gain access to their data for free and have the data corrected if out of date or inaccurate. People may also request their data be erased if there is no longer a legitimate need to keep it. They may also obtain and use their own personal data across other services; as such, it should be portable via CSV file or similar.
Seek Legal Advice
There are many complexities relating to the GDPR, compliance, consent, and other factors. If a business, even outside the EU, is found to contravene or breach the GDPR, the EU does potentially have the power to litigate against it. This carries, at the very least, significant fines.
Note: the information in this blog post is general in nature, you must seek professional corporate legal advice to answer specific questions relating to your own business, organisation, or policies as GDPR applies to them.
What Can You Do?
- Be informed of GDPR and your local laws.
- Review your data collection processes.
- Only collect and keep personal data obtained lawfully.
- Delete personal data you no longer need.
- Audit the personal data you hold.
- Only ever use data collected via opt-in (no email lists!)
- Make opt-out options clear and simple to enact.
- Safeguard personal data protection.
- Partner with legitimate third-party providers who comply with GDPR.
Partner with ClickSend
ClickSend is a leading, Australian-based SMS gateway and bulk email platform. We provide an array of associated services and digital solutions. We work with a global clientele and are committed to delivering unparalleled, superior services in compliance with GDPR legislation.