Whether or not you’ve been paying attention, a new set of laws in the European Union called the General Data Protection Regulation (GDPR) go into effect on May 25, 2018. For companies operating in the UAE, it can be unclear as to how this affects you, and what – if anything – you must do to comply. At a basic level, GDPR is meant to enhance or replace the current data privacy rules that every EU country has already adopted. The overall purpose of the regulation is to allow individual users more control over their own personal data – and provide both the best practice for companies to do so, and imposing sanctions on companies who do not.
The main points of GDPR are the following:
1. Increased Fines
Companies found to be out of compliance with GDPR can be fined up to €20 million or 4% of annual global turnover, whichever is higher, for each infraction. These are proportionate to the severity of the event, so the more prepared you are, the better.
2. Increased Notifications
Companies must notify relevant authorities within 72 hours (where possible) of a security breach. In the instance where the breach causes individual users harm, they will be also required to notify those affected users.
3. Increased Accountability
Companies will need to be able to demonstrate their compliance with all rules and regulations, and provide their roadmap for security features.
4. Increased User Rights
Individuals will have more granular control of their own personal data, including the right to be forgotten. Companies need to have a plan to completely remove inactive user data from their system.
5. Increased Responsibility
Companies should designate someone who is responsible for ensuring they are in compliance with GDPR however certain organizations will be required to officially name a Data Protection Officer (DPO) to fill this role.
But our company isn’t in the EU, so does this apply to us?
If your company is outside the EU, you may wonder what all this has to do with you. Unless you haven’t noticed, the internet is a “world-wide web” – by design. While your company may only offer services outside the EU, you may accidentally have a GDPR infraction without realizing it.
Here’s a quick test:
- Do you have a branch, subsidiary or any representative in the EU?
- Do you offer any goods or services to persons located in the EU?
- Do you monitor the online behavior of persons located in the EU?
Many people will slide past (1), however, if your website offers a country selection option on signup or checkout and it contains EU countries, then (2) applies. If you are using something like Mixpanel, Facebook Business manager, Google Analytics, or any other kind of cookie to track online behavior, then you will need to care about (3).
So, what can you do to be prepared for GDPR?
1. Document Everything
The first step to compliance is doing an audit of what personal information you’re capturing, where it came from, why you captured it and whether you still need it. Also, if you are sharing it with anyone, verify whether or not that is necessary and if that has been disclosed.
2. Get in Compliance
You’ll be required under the law to respond within one month of their verified request to either update a user’s information or completely delete it. This can be via any method, so long as you have a demonstrable process.
3. Get Consent
For every notification you wish to send a user, via whatever method, you will need to have their explicit consent, along with an explanation of why you are sending it. This consent will need to be updated regularly. This includes website cookies as well as mailing lists, group chats, and any other type of notification.
This consent will need to be both unambiguous and granular. For example, sample language to use for third-party cookies is the following:
We would like to share your browsing habits on our site with our partners to understand what offers may be of interest to you.
These data will be deleted after 6 months. You can withdraw permission at any time.
Sample wording for communications approval can be:
Please select the boxes below to tell us all the ways you want to hear from us:
Yes, I would like to receive communications by email.
Yes, I would like to receive communications by telephone.
Yes, I would like to receive communications by mobile (text message)
Yes, I would like to receive communications by regular mail.
You can withdraw permission at any time.
4. Create a Playbook
GDPR has a strong breach incident notification component, so best practice will be to create a set of processes to follow ahead of time of who to notify and how in case this happens.
5. Put Someone in Charge
As GDPR compliance is something that you have to stay on top of, assign someone in your company to be on top of it.
What does this all mean?
At a base level, it means you don’t have to panic. Here is a great checklist to help you get started. For updating your privacy policy, Thrive offers a great template.
What you should be prepared for is that up to 75% of your mailing list will disappear overnight. However, your engagement and open rates will go up dramatically, as GDPR will cull out the people who don’t care about your brand, leaving only the people who truly do want to hear about your business.
In all, GDPR compliance is simply common sense for all businesses.