GDPR and You

You have probably heard the term GDPR by now. You probably are either reviewing online articles referencing it (thank you for reading BTW), scratching your head at it, dismissing its relevance to your situation or having brief water-cooler conversations with your co-workers about it.

But are you and your company truly prepared for it?

What is GDPR?

GDPR is an acronym for General Data Protection Regulation. It is a European Union (EU) regulation that will generate the biggest changes in data protection in the EU since 1995. GDPR was created to bring as much uniformity into data protection as possible. This new regulation is better suited to the challenges our current digital world poses.

The GDPR was adopted in mid-2016 but included a two-year “transition period” before enforcement begins on May 25, 2018—an indication that the EU regulators recognized how difficult it would be for many businesses to institute the measures for compliance. Nevertheless, few firms have taken advantage of the full grace period. One global survey at the beginning of 2017 found more than half (54%) of the responding organizations had not advanced their GDPR readiness.

In general, GDPR requirements relate to eight fundamental rights people now have over their personal information:

• Right to Be Informed
  • Clearly worded and easy-to-find privacy policies published by organizations, as well as easy-to-follow methods to respond to customer inquiries quickly.

• Right of Access
  • When a customer requests a copy of their information from a particular organization, it must be sent free of charge in a commonly used electronic format within a month of the request.

• Right to Rectification
  • Organizations must amend incorrect or incomplete information in a timely fashion when asked to do so by a customer.

• Right to Erasure or to Be Forgotten
  • Organizations must comply with requests from customers to delete their personal information from all systems.

• Right to Restrict Processing
  • Individuals can prevent the use of their data for a particular task or function. But organizations are allowed to keep enough data to be able to do so.

• Right to Data Portability
  • Individuals who have opted in to provide personal data can request that the data be shared with another organization, and this request must be met.

• Right to Object
  • Individuals can object to their data being used for a particular function and can rescind previous consent.

• Rights in Relation to Automated Decision-making and Profiling
  • Individuals are protected from potentially damaging decisions being made without human intervention and without the knowledge of the individual.

Who has to pay attention to it?

For American companies, it is tempting to dismiss and move on, but it also applies to companies outside the EU region that monitor the behavior of people within the EU and to non-EU companies that offer goods or services within the EU. So, having a CMS that can distinguish between visitors based within and outside the EU is of great benefit. In other words, based on geolocation, the CMS would not use analytics from EU-based visitors without obtaining their consent, stating they agree for the site to track their web behavior.

What does this mean for businesses?

This ultimately means businesses should view themselves as data controllers that need to review their relationships and activities with platforms and agencies that are typically serving the role as data processors. There needs to be more attention paid to data capturing processes and opt status. If you partner with an agency that has always been on top of customer opt status and the right way to engage customers, then you are in a better position than others.

DISCLAIMER: All data and information provided in this blog post are for informational purposes only. thunder::tech makes no representations as to the accuracy, completeness, currency, suitability or validity of any information contained herein. We recommend consulting with a legal professional for any legal advice pertaining to GDPR compliance.

Next Steps

• Schedule time to talk to us, your trusted advisors, and we can help review all of your online and relevant marketing and sales activities today to see where you stand.
• Look to a partner of ours, Kentico, who has a global customer base and really led the way with providing great insight and a platform to help you tackle GDPR. We have taken a great deal of their direction to help put this article together.

Additional Resources

• GDPR Masterclass and Whitepapers
• Tackling GDPR with Kentico 11 EMS
• GDPR Compliance and Your CMS
• Rules for the Protection of Personal Data Inside and Outside the EU
• Official GDPR Regulation Language from the EU
• Guide to the General Data Protection Regulation (GDPR)