As of May 25, 2018, you’ll need to comply with the General Data Protection Regulation (GDPR) if you do any business with clients in the European Union.
How you handle email and data collection will change.
The goal of GDPR is to strengthen privacy protections for EU residents and to consolidate an assortment of existing privacy laws that currently span dozens of countries. “Personal data” will be defined in a much more specific way and will apply to all companies processing and holding information of people living in the EU, regardless of the company’s location.
Corporations Are Not Exempt
This means if you are an American corporation collecting personal data from clients anywhere in the EU, including – but not limited to – a name, photo, banking information, a birthdate, home address, an email address, social media posts, medical information, or a computer IP address, you will be subject to the GDRP ruling.
It’s an effort to provide more control and transparency for consumers and companies who don’t comply will face large penalties. If a violation is determined, companies can expect to pay fines of up to 4 percent of their global revenue.
Security Breaches Will Become Punishable
For context, consider that Globalization and advances in AI and data analytics have made the sharing of personal information easy – too easy in many cases. In a Sept. 6 newsletter from SC [Cyber Security] Newswire, the headlines detailed multiple breaches involving Amazon servers, military records, and Dow Jones customers. Consider what Amazon might have to pay in fines calculating 4 percent of their global revenue and you have an idea of how costly this could become.
These instances underscore the fact that compliance and oversight is lacking and moving forward, the GDPR will be unforgiving of security glitches.
Data Breach Notification Will Become Law
CyberGRX CEO Fred Kneip recently said, “Too often, organizations fail to recognize that the perimeters they're defending now extend exponentially to include customers, partners and other third parties with access to their network.”
This failure points to one of the primary issues the GDPR is aiming to correct: the way personally identifiable information [PII] is handled and how customers are notified about breaches and data transfer.
GDPR will mark the first time data breach notification is codified into law.
It will mandate businesses notify the local data protection authority of a data breach within 72 hours of discovering it. This will require a complete overhaul of data security, privacy, and protection, for many businesses. You’ll need to have processes in place that can field the damage, determine who the affected parties are, and how widespread the breach is.
For many businesses, it will require a designated data protection officer [DPO] to enforce GDPR compliance.
Consent Parameters Will Change
The onus will be on organizations to prove they obtain explicit consent to gather information from an individual. Data subjects will have the right to request their personal information be deleted and, most importantly, subjects will have the right to rectification if personal data is used for profiling purposes that might lead to discrimination.
Now is the Time to Evaluate Your Security Protocols
Your first line of defense is a critical assessment of your current data security and a commitment to design processes that allow you to identify risk. If you begin now, your organization will have a competitive advantage and guarantee your customers’ loyalty.
Already have a comprehensive plan in place for handling GDPR? Great! Check out our free guide that walks you through how to sell to anyone, or click the button below to learn how the world's leading personalized selling platform can help your business accelerate sales and increase revenue.