The General Data Protection Regulation goes into effect on May 25th. Here’s how it’ll impact online businesses.
What is it?
On May 25th, the European Union will be enacting the General Data Protection Regulation (GDPR), a new set of rules designed to ultimately consolidate and protect consumer data across all EU member nations.
The GDPR applies to the personal data of anyone that is located in the EU at the time it is captured. For example, if an American citizen is in the EU at the time they visit a website of a merchant anywhere, the personal data collected and processed at that time is protected.
Companies that put the personal data of customers at risk or otherwise don’t align with GDPR requirements may be dealt extremely steep penalties. The maximum fine can be as high as EUR $20 million or 4% of a company’s annual revenue, whichever is higher.
User Consent a Primary Focus
The GDPR establishes a set of standards for protecting and processing customer data and to meet these standards, a variety of safeguards will need to be implemented. One such safeguard is to ensure that when consent is required to be obtained from a customer, that the customer has the opportunity to provide their consent freely, specifically, and unambiguously. This means that many online businesses will have to make changes that include removing mandatory consent requests for a service (unless it’s necessary for successful service delivery), removing pre-selected opt-in boxes other pre-selected options, naming your organization and all third parties who use the data that gets collected, and keeping all consent records and methods documented.
In addition to a stricter process for giving consent, customers who wish to withdraw their consent, edit their personal data, transfer data between vendors, or delete their account entirely must be able to do that at any given time. Companies must make this process just as effortless as the original consent was to begin with, and they must clearly communicate how this is done.
For a complete breakdown of the GDPR consent guidance, click here.
Security and Accountability
Another area that is going to be impacted heavily by GDPR is the state in which data is managed, protected and reported on in the event of a breach.
GDPR will require all businesses to exercise a “reasonable” level of security to be deployed when it comes to protecting user data as well as more detailed requirements to security protocols.
Larger businesses will need to appoint a Data Protection Officer, who will be held accountable for reporting all breaches to regulators. Additionally, all digital companies will need to compose a documented procedure for how to deal with a breach when it occurs, and report these breaches within 72 hours.
Ensuring Policies Are Up to Speed
GDPR is a significant overhaul to how online businesses handle and manage user data, and advertisers and brands will need to make sure they’re educated on the new regulations if they aren’t already.
While there’s no avoiding the fact that becoming compliant will take a lot of effort and resources, businesses that not only follow these regulations, but do so in a way that shows by example are poised to capitalize tremendously. After all, users that trust your business and become loyal to it are likely to convert more or generate higher order values.
The GDPR is a broad regulation that impacts almost every touch point with customers. Because of the complexity associated with the new law, you may want to collaborate with specialists or legal advisers to determine how the GDPR applies to your specific situation and ensure your business operates in a compliant way. For more information on GDPR, click here.