Your inbox is probably close to bursting right now.
In the days leading up to May 25—when the EU General Data Protection Regulation becomes law—companies have been on overdrive seeking permission to keep your personal details.
If you operate in the EU or have customers there, you hopefully need no introduction to the new data privacy laws. But it definitely remains an intimidating and blurry topic to many—not least because the European Data Protection Board is still fleshing out many of the details.
If you would like to review the basics of the GDPR, see What the EU’s New Data Laws Mean to Digital Marketers.
To clear up some of the misconceptions around the regulation, we talked to Niels Dahl-Nielsen and Anders Holm-Jensen of Synch, a law firm that has advised a variety of international companies on GDPR compliance.
We discussed some of the most popular questions about GDPR compliance and what that actually means moving forward.
First, the obvious question a lot of people are asking: do you think the GDPR is a good thing for businesses?
Absolutely. There are huge benefits to reap from it.
At the very least, it has helped a lot of businesses to finally become truly digital. To comply you need to go through a series of exercises that filter out anything you don’t need to build a much leaner organization.
It’s great because of the transparency. GDPR compliance enables companies to build trust in a way they never could before. Best of all, everyone handling the data is aware of the rules now. I’ve never known a piece of legislation to make such an impact and gain such attention.
What are some of the most common misconceptions you have heard about the GDPR?
The most common one is that it’s only something for the IT department or company management.
In reality, GDPR requires a new, company-wide mindset. You need to look at data now as something you are only borrowing, only for as long as you need it; and you need to be ready to hand it back when you are asked to.
That means everyone in an organization needs to have some understanding of it. Any point of contact must now be able to handle requests from data subjects—the people that your company has information about.
This is particularly critical. GDPR is making it easy for data subjects to lodge complaints against companies that fail to react to their requests. Complaints like that are going to bring you to the attention of the data protection authorities.
It adds an all-new element to customer service. If you’re a big company that struggles to stay on top of your inbox, you are going to see the complaints stack up and your GDPR compliance investigated.
That brings us to the question of how the GDPR will be policed and enforced
This is one of those things that is not so clear just yet—or at least not well communicated by data protection authorities at either the EU or national level.
But here in Denmark at least, I don’t think we’ll see any sweeping crackdowns.
If, for example, the authority notices that the type of company that really should have a Data Protection Officer (more on that later), lacks one, I expect they will order them to appoint a DPO as soon as possible, and give them time to comply before taking action in the form of a fine.
But what is most important here is to keep records of your data-processing activities. It’s required by the GDPR and you will need to present your records to the authority if asked.
— crowiejnr (@crowiejnr) May 24, 2018
Predictably, Twitter has been afire with #GDPRday.
Are some companies affected more than others?
Yes, although these days almost everyone is using social media data in one form or another. But if your company does do large-scale data monitoring or handles sensitive data, which the European Commission (EC) defines as a range of things from ethnic to health data, you are probably required to appoint a Data Protection Officer.
If you’re not sure if you fall into that category, we advise you to review the EC’s Article 29 Working Party whitepaper. You should at least do a qualitative assessment and keep a record of it to be on the safe side.
Are there particular pitfalls for US-based companies, or EU companies with US partners and suppliers?
We have a number of US companies as clients. And our general impression is that most US companies transferring data in or out of the EU are as compliant as most European companies.
The US companies we know have a stronger digital and tech focus than many European companies which gives them a shorter route to compliance.
They are also looking on this as a competitive advantage: if you’re GDPR compliant, you’re ahead of the curve in the US. That’s why our clients are standardizing their data handling across markets to be GDPR compliant, rather than only doing that for EU business.
European companies can vet US companies by seeing if they comply with the pre-existing Privacy Shield Framework. This already governed EU-US data protection, and any compliant company is close to GDPR standards. Just note that this status can expire, so keep checking on a regular basis.
What are the key things to focus on to maintain GDPR compliance?
We’ve already covered the importance of request handling and record-keeping. To that, we would add data processing agreements and breach-handling.
First, there are the many data processing agreements you must have in place with all your vendors. These include anyone providing your company products, services or maintenance. All of these can involve data transfer, and this must be safeguarded. A lot of people don’t seem to be thinking about that.
Then there are data breaches. There are three scenarios you are required to act on. The required action depends on the severity of the breach.
An example of the first and most serious is outright hacks. If you are breached like that you typically need to inform your data protection authority and all the people potentially affected within 72 hours.
An example of the second would be when the breach is serious but contained—then you may only need inform the authority.
The third one is seemingly minor things like sending an email to the wrong address (provided that email doesn’t include sensitive information and is immediately deleted and not forwarded to others) or losing a properly secured, i.e. encrypted, USB stick with privileged information.
In such cases, you will definitely need to keep a record of it and how you mitigated it.
The GDPR became law today (May 25, 2018).