The General Data Protection Regulation (GDPR): Key Points for B2B Companies
Effective May 25, 2018, the General Data Protection Regulation (GDPR) will come into force. It puts personal data privacy at the forefront of business operations. Bringing the biggest change to the European Union (EU) data privacy and security regulation in more than 20 years, the GDPR poses a great challenge to global marketers and IT departments. Although this data protection regulation is a piece of the EU law, it will have a global impact and affect not only the EU-based organizations, but many multinational and the US-based companies as well.
The GDPR replaces the Data Protection Directive 95/46/EC and is designed to protect EU citizens with regard to the collecting, storing, processing, and free movement of their personal data. It aims to reshape the way global organizations approach data privacy for EU citizens across the globe.
Despite the physical location, B2B companies should take a note and act now. Some of the most significant changes introduced by the GDPR that will affect B2B companies are as follows:
A significant change made by the General Data Protection Regulation is the territorial scope of the new regulation. It applies to all organizations that process and hold the personal data of the users residing in the EU, regardless of organization’s location. Therefore, even with no direct operations in the EU, most multinational companies, as well as US-based companies, may be affected. For instance, if a US-based company is engaged in monitoring the behavior of EU residents in the EU, it is subject to the GDPR.
The scope of the data
Under the GDPR, the definition of “personal data” is quite broad and includes any information that can help identify individual in any way. This may include anything from such obvious identifiers as name, date of birth, or social security number to GPS data, IP addresses, or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person, as well as cookie strings, social media posts, online contacts, and mobile device IDs – amongst many others.
The GDPR brings in more stringent requirements to obtain valid user consent. It states that the consent must be “freely given, specific, informed, and unambiguous.” Therefore, organizations (“data controllers”) will have to adjust their digital marketing forms and related marketing efforts to obtain explicit user consent. Companies can only use data collected for purposes for which users (“data subjects”) have given their consent and not beyond the minimum necessary time for the achievement of those purposes.
Specifically, the pre-ticked boxes or inactivity will not constitute a valid consent. Instead, organizations will have to clearly communicate about what it will be doing with the data and will not be able to ask the user to click on a hyperlink leading to a separate “terms and conditions” page.
Moreover, users have the right to revoke consent to data processing without any limitation.
The “Right to be forgotten”
Per the new Regulation, users have the right to obtain the definitive deletion of their data processed and stored by data controllers. Furthermore, users will have the right to unlimited data portability between the companies as well.
Data protection and the 72-hour data breach reporting
Per GDPR, it is a duty of an organization to properly protect personal data at the time of their collection and during the whole duration of the processing. In case of the data breach, organizations must notify the national supervisory authority and/or users of the incident within 72-hour timeframe.
The new role of Data Protection Officer (DPO)
If your organization process special categories of data, such as sensitive data, or use the regular and systematic monitoring of users on a large scale, it needs to appoint a Data Protection Officer. DPO role is to inform and advise the organization of its obligations pursuant to the GDPR, monitor the compliance to the Regulation, and provide data protection impact assessments – amongst others.
Penalties for non-compliance
The GDPR imposes significant fines for con-compliance. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year, can reach up to 4% or EUR 20 million (whichever is greater) for non-compliance with the GDPR, and 2% or EUR 10 million (whichever is greater) for less important infringements. For example, a failure to report a data breach to a regulator within 72 hours would result in a fine of the greater of 2% of its global revenue or EUR 10 million.
Act now to ensure your organization is GDPR-compliant
US-based companies, especially those with strong digital presence, should be making all necessary changes now to ensure compliance when the regulation goes into effect next month. Marketers and IT departments should work closely together as they revise their global marketing strategy and user data management practices in line with the GDPR requirements.
The organizations should focus on addressing the following:
- Assess your role as “data controller” – evaluate your company’s role on a global scale. Since the GDPR applies to organizations outside the EU as well, any company is considered a data controller if it decides on why and how personal data is processed.
- Practice transparency and accountability – organizations must demonstrate accountability and transparency in all decisions regarding personal data processing activities. Outside parties must also comply with the relevant requirements that can impact business processes. Therefore, a proper data subject consent acquisition and registration is a must. This leads to:
- Make necessary technical changes – implied consent and pre-checked boxes will no longer be sufficient. Instead, companies that fall under the GDPR must:
- Ensure transparency and clear communications – be precise explaining to the user who you are and your intent. Explain why you collect their data, for how long, who else has access to it, and what is your intent;
- Get a clear consent – before collecting any personal data;
- Allow users the ability to easily access, manage, and delete their data;
- In case of the data breach, inform the users and authorities within 72 hours of the incident.
- Appoint Data Protection Officer (DPO) – if your company process special categories of data, such as sensitive data, or use the regular and systematic monitoring of its users on a large scale, it must appoint Data Protection Officer.
- Check cross-border data flows – the US-based organizations processing personal data on EU residents should select the appropriate mechanism to ensure compliance with the GDPR. The General Data Protection Regulation allows data transfers to any of the EU member states, as well as to Norway, Liechtenstein, and Iceland. Transfers to any of the other countries the European Commission (EC) deemed to have an “adequate” level of protection are also allowed. Outside of these areas, experts advise using appropriate safeguards.
View the following resources to learn more:
- The GDPR infographic from the European Commission
- The full text of the General Data Protection Regulation (GDPR)
Legal disclaimer: The opinions and recommendations in this article should not be considered as legal advice. APPETITTE recommends that entities subject to legislation seek legal counsel from qualified sources.