In light of recent abuses of personal information by companies such as Cambridge Analytica, the arrival of new data protection laws is not surprising. In the EU this legislation is called GDPR. In South Africa, we have the Protection Of Private Information (POPI) Act. GDPR governs the way we gather, store and process personal data.
You are probably like me and not very legally minded. So what I’m about to tell you does not constitute legal advice and you should speak to a real lawyer who specialises in privacy protection. Let’s take a look.
What Is the GDRP?
General Data Protection Regulation (GDPR) are new sets of rules introduced by the European commision to protect the personal data of European citizens. The advances in technologies and capabilities to use personal information has prompted the biggest reform to privacy law since the internet went mainstream.
The GDPR applies the law consistently across all EU member countries with the aim of protecting citizens against unscrupulous and irresponsible organisations. It puts the user in charge of what information they share, where they share it and how they share it.
Today’s marketing is data-driven. Think about email marketing, marketing automation, Adwords or Facebook remarketing, and you’ll quickly see that the information we use to engage with these users easily connects to actual people.
GDPR is a framework written in lawyers speak, which is why you need to get professional advice, with no implicit do or don’ts.
The GDPR is due to come into force on 25 May. The penalty for non-compliance can be a fine of up to €20 million or 4% of the company’s global annual turnover. No doubt, the harshest fines will be reserved for the worst data breaches or data abuse.
Does the GDPR Apply to Me?
The most likely answer is yes. You will need to comply with the new legislation if you have a website or mobile app that is accessible to European citizens
I know what you are thinking, “but my business location is not Europe, I don’t have European customers and they can’t enforce their legislation here in South Africa. So why should we care”?
Well, these rules don’t only affect businesses and website owners directly. They also affect service providers that process and store data on your behalf. Businesses like Google, Facebook and Amazon have offices in Europe and may be subject to penalties.
The waterfall effect means you’ve probably already seen messages from Google Analytics, Google Adwords and Facebook explaining the changes they have made to meet the compliance requirements of the GDPR.
Unless you are living in a bubble, you need to consider how these laws will affect your business. Europe has also been a role model for broader implementation of similar laws. If you don’t know already, the update to South Africa’s POPI act is scheduled for later this year. The new POPI may contain very similar regulation that affects the private data of your customers.
What Is the Difference Between Current Privacy Legislation and GDPR?
Digging down into the legislation from a layman’s perspective, we can summarise GDPR in two words responsibility and transparency. Let’s check these out in more detail:
- Responsibility – under previous legislation, the responsibility for private data was never clearly delineated. A lack of responsibility led to a lack of accountability. But under GDPR, responsibility for personal data lies with every company that collects, processes and stores data.
- Transparency – Individuals, such as you and me who are giving up the data, now have rights that empower us and promote transparency. As customers, we can ask businesses what personal information they have and how they are using it.
So for example, you might ask a user to provide information on a web form when signing up for a newsletter or when buying a product. You need to inform the user before they commit why you need the information, how you are using it, processing it and storing it. The user will need to provide explicit permission by ticking a box that gives you consent to save and use their personal information.
It’s also important to remember that if you save personal information on a 3rd party service or systems such as MailChimp or salesforce to provide additional marketing, these services also need to comply and that you are responsible for their compliance.
This is important because your users can request that you provide them with details about the types of information, where it is stored and how you are using it. The user can also request that you export the data, change it or delete it.
How Do I Become Compliant With GDPR?
There is no cookie cutter approach to being compliant because every business collects, uses and stores personal information in different ways. There are a host of other factors to consider such as business size and 3rd party services to mention just a few.
While there is no checklist to ensure you are compliant, we have already taken several steps on behalf of our clients to ensure their compliance. In the next day or two, we will be releasing some practical steps that more than likely will apply to every website.