You have seen or heard the term “GDPR” & might not have considered it important. But did you know that GDPR also applies to YOU if you are a Businessman in India who has customers in EU or handles data of individuals residing in EU? You are expected to be compliant in that case.
What is GDPR?
GDPR is the short form of “Global Data Protection Regulation” which was launched by European Union to protect data of individuals in EU & also is compliant for Personal Data export out of EU. It was adopted on 14 April 2016, and after a two-year transition period, it now becomes enforceable on 25th May 2018.
The primary aim of GDPR is to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Scope of GDPR
GDPR is a regulation which holds good in European Union or the EU.
As per 2018 stats, there are 48 countries which are part of the EU:
13. Czech Republic
29. Bosnia & Herzegovina
32. TFYR Macedonia
40. Channel Islands
41. Isle of Man
43. Faeroe Islands
47. San Marino
48. Holy See
As GDPR is a regulation & not a directive businesses & individuals across EU & the world are expected to be compliant if they either have customers in EU or process individuals data who reside in EU as it is applicable for everyone & does not need Individual Government’s to pass Legislations to enable it.
According to the European Commission,
“personal data is any information relating to an individual, whether it relates to his or her private, professional or public life.
It can be anything from a
2. A Home Address,
3. A Photo,
4. An Email Address,
5. Bank Details,
6. Posts on Social Networking Websites,
7. Medical Information, or
8. A Computer’s IP address.”
The company which deals with the individuals data be it a customer or be the company a social media platform – it is called as “Data Controller” in the context of GDPR & a company which might not have direct contact with the individuals but only processes data for the “Data Controller” & might exist in another country is called as the “Data Processor”. Though this kind of arrangement is agreed upon by GDPR the expectation is that the “Data Processor” is also liable to be compliant to GDPR though they may not be in a country which falls under the EU. Thus, this regulation covers a wider base & extends outside EU too.
Let us look at some of the items on the GDPR Checklist that you should be ready with to make your business GDPR Complaint.
GDPR Compliance Checklist
These are the items that you need to ensure your business has in place to be GDPR Compliance ready.
1. Explicit Consent:
Consent from a website visitor or a customer before taking their information or processing their information. Consent until now was supposed to be implicit but GDPR stresses on obtaining explicit consent from the individuals.
The explicit Consent is a matter of responsibility of the data collector & if there are children involved their parents or guardian’s consent is to be recorded.
This can be done by stating outright that the Website/Business gathers, stores & processes information of the visitors or customers & also can be verified by the double-opt-in case of an emailing list.
This also extends to phone calls & the individual calling has to explicitly state that the “Current call is being recorded for training purposes & Consent to be given by the customer or the prospect & if the Prospect or Customer does not Consent then the call should be stopped from recording & whatever has been recorded so far to be deleted & not stored in records”.
2. Data Protection Officer:
A Data Protection Officer is supposed to be appointed by the Data Controller organisation to take care of the GDPR regulation & the officer is supposed to be trained in IT and needs to have a small staff underneath him.
Though he is employed by the Organisation he is supposed to act independently to protect customers data.
Pseudonymisation is a process using which the saved data is then converted into “Illegible” data thus protecting it from being misused or being stolen & used by other sources.
The data can only be made Legible using a Decryption key which is supposed to be kept away from the actual data so that the probability of getting hold of the decryption key is very less thus ensuring that the data is safe.
4. Data Breaches:
In case of a data breach incident, the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report.
If the data breach represents data which can not be read without an encryption key then the data subjects (the individuals) don’t need to be notified regarding the data breach but if it is plain data then the individuals have to be notified along with the supervisory authority regarding the data loss.
5. Data Protection by Default:
Under GDPR, Data Protection by the Data Controller is supposed to happen by Default. Privacy settings must, therefore, be set at a high level by default, and technical and procedural measures should be taken by the controller to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation.
Controllers should also implement mechanisms to ensure that personal data is not processed unless necessary for each specific purpose.
Given the latest Fiasco with Facebook Data Breach, GDPR seems to be a welcome break for us who can not stop using social media but are concerned regarding our data safe.
As an Individual you have the following 2 rights under GDPR:
1. Right to Access:
You can demand to access your data that has been stored on a Website or Social Networking site & it has to be provided to you by the Data Controller.
This is much welcome to the shocking answer given by “Mark Zuckerberg” to the Senate’s questioning regarding what sort of data is being stored by Facebook of its users and his reply of “I don’t know over the top of my head”.
2. Right to Erase:
As an individual, you can also demand the Data Controller to delete your history on their specific website or social networking site which was previously unfathomable.
What does GDPR Compliance mean for B2B Businesses:
GDPR understands that the type of the business – B2C (business to customers) & B2B (business to business) are very different & hence, their processes use data differently.
For B2B kind of businesses, there are 2 dynamics being stated by GDPR:
- Consent or
- Legitimate Interest
It is explicitly mandated that a B2B business has to explicitly take Consent from the individuals before storing their data &
Also that the data is stored should be in sync with the Legitimate Interest of the Business which is storing the aforementioned data.
That means the data that you are storing should be right for your business need & you should not unnecessarily gather or store information that is not needed for your business for its marketing purposes.
Example: You can gather & store information like their email is by explicitly asking for their consent to part with the email ids but storing information regarding their interests, their browsing history is a breach of GDPR regulation.
GDPR is “Global Data Protection Regulation” & is applicable for businesses in EU & other businesses which might be storing or processing data of individuals residing in EU.
Being a Regulation no special Legislation by countries is needed for its application, hence, businesses across the world need to be compliant if they are either storing or processing data of individuals of EU that includes even a third party data processing company based out of some other country like India.
These are the top 5 items that you need to ensure your business is compliant with GDPR:
1. Explicit Consent – Explicit consent from visitors to your website or customers need to be taken before storing or processing their data.
2. Data Protection Officer – A Data Protection Officer needs to be appointed by the organisation to take care of the regulation.
3. Pseudonymisation – Data to be encrypted so even if there is a data breach the data cannot be misused.
4. Data Breach – In case of a data breach no delay to be done in reporting it to the authorities.
Data Protection by Default – Privacy settings to be set to the highest level by the data controller or the business organisation so that the data of the customers or users is protected by default.
GDPR for B2B Marketing:
B2B businesses need to explicitly ask for Consent from individuals before asking for their details. Even then the data that needs to be stored & processed should only pertain to their core legitimate business interest & should not store unnecessary user information.
Reach out to us for a discussion on “GDPR” by emailing us at firstname.lastname@example.org
Have a great week ahead.
Founder, Head – Marketing,