When it comes to GDPR and regulatory compliance, especially at the international level, many organizations tend to adopt a set-and-forget attitude.
Companies assume that once they put a privacy policy into place and comply with existing regulations like GDPR, for example, their work is done in terms of data protection. Unfortunately, this couldn’t be further from the truth – staying on top of your GDPR and regulatory compliance is an ongoing process that demands attention if you want to keep your organization out of legal troubles later down the track.
In this blog post we will explore why having a privacy policy alone isn’t enough to stay compliant – and what else marketing managers, startups and social influencers should consider when building out their overall approach to protecting both personal information and public reputation. Let’s dive right in!
GDPR, Regulatory Compliance & Data
Data. It’s everywhere you look now. Whenever accessing the internet or using an app, you’re sharing bits of yourself with the app developer and anyone else who has access to the information they collect. Even if you turn off the location on your smart phone, someone, somewhere knows where you’ve been and how long you stayed there.
Data has become the new unofficial currency that absorbs the time and tech of anyone who uses the internet. Because information is power, computer users worry about it being stolen and website owners work overtime to ensure that their visitors and compliance regulators know it’s safe. The cost of data breaches and leaks has led consumers and law makers to demand action, and many government agencies have reacted by introducing legislation meant to control how much is collected, why, and what is done with data once it’s obtained and stored.
When Europe’s General Data Protection Regulation (GDPR) was first implemented in May 2018, it caused a lot of confusion – and not a little fear – among web developers and anyone else who needed to collect data for any reason. The penalties are stiff, running into the millions depending on the degree and depth of non-compliance, and many website owners are still unsure how – or if – GDPR affects them and how to remain compliant.
Most responded by updating their privacy policies to inform users according to the tenets of GDPR compliance. But, is an updated policy enough to protect you? Does a data regulation in the EU affect your business at all?
What is GDPR?
GDPR is bit of a data protection legislation that’s meant to shield consumers who use web services within the European union. It does so by placing strict guidelines and potentially hefty fines on any website or internet-based service that collects and uses information.
Details are contained within a pretty lengthy document, but it can be boiled down to seven core principles that govern the how’s, why’s, and wherefores’ of data collection and preservation. The data covered by this regulation includes personally identifying information, health and biometric data, internet activity and access, and data about sexual orientation, religion, or political affiliations.
This regulation also provides a slate of consumer rights and remedies when it comes to how their data is collected and used. That includes the right to join class action lawsuits against web enterprises who fail to protect information and those who abuse such data.
The goal is to prevent websites from obtaining anything but the most basic user data needed to conclude their business. It also states that websites must inform users about what data is collected, why it’s needed, and how it is used/stored/disposed of after it’s collected. Companies that aren’t in compliance by updating their policies and use, as well as being completely transparent with users about their policies and use, face penalties that range from a warning to censure and financial ruin.
This has led web developers, eCommerce enterprises, and other stakeholders to wonder how or if this regulation even applies to them and what they need to do to maintain compliance.
Does the GDPR Affect Your Content?
If you’re located outside of the EU, you’re probably wondering why you should even be concerned about their policies and regulations. These don’t apply to you, right? Even if they do, you’ve updated your privacy policy as per Article 12, informed your audience, and posted it on your website. You’re good to go, right?
Right?
Not necessarily.
Yes, the policy governs websites used by EU citizens and visitors. However, it also protects them when they travel outside of the EU. In short, you’re under the auspices of this particular EU regulation if you:
- Maintain a business presence within the EU
- Collect, maintain, and/or process information of EU residents
- Have more than 250 employees; those with smaller enterprises must still maintain compliance if the data they collect or use is of a sensitive nature, such as financial or health information.
Not only do you have to maintain complete transparency about your data policies, you have to comply if a user demands access to their data. You also have to prove that there is a valid reason for the information you collect and the ways that it will be used in the future.
This can get tricky. Suppose that a company sells tobacco products and requires proof of age before admitting entrance to their site. That’s a legit reason for asking for the user’s date of birth. But, what if the company keeps that info in a database to use in the future for promotions or marketing analysis?
A business might maintain that’s a valid reason for keeping a file containing their user’s birth dates, but some users might object. They agreed to give you that information so they could access your site, but not so that you can send them digital birthday greetings or track their shopping habits.
In such cases, merely posting a privacy policy isn’t adequate. Additional opt-ins and permissions are needed to support the required transparency and protect yourself. For one thing, no one reads them. While ignorance of the law is no excuse for breaking it, that doesn’t do much to protect you from the one user who goes to the regulatory committee and claims you’re in violation.
So, how do you ensure that you’re in complete compliance with the GDPR and other regulations surrounding consumer and data protection?
By erring on the side of doing too much rather than too little and following basic GDPR compliance best practices. We can start by understanding the intent of the GDPR and the reasons it was adopted in the first place. Next, you should look inward to determine the amount and reasons for the data you collect. Is it necessary in order for you to conduct business. How much information is too much?
Once you’re clear about the amount and type of data you require, make sure that you’re completely transparent about this need, inform users in clear and uncertain terminology, and document everything so that you can at least claim in good faith that you’re doing everything in your power to protect your company and user data. You want to know more about GDPR, contact us today