The EU’s General Data Protection Regulation is already making its presence felt on websites, social media platforms and online marketing campaigns – not just in Europe, but right across the globe.
The new law strengthens the data rights of EU residents. Linked to this, there are new obligations on the organisations that control and process this data. No matter where you are based, the GDPR requires you to follow the rulebook.
While some of these new rules complement existing laws in various countries, many of the new requirements (e.g. mandatory breach reporting and various internal record-keeping procedures) will be unfamiliar to many businesses.
GDPR compliance affects your website and all internet platforms. It has implications for user experience, content, tone-of-voice, marketing, analytics, back-end security and in fact, virtually all online activities. Here’s a rundown of how the new legal framework is likely to shape these activities and how it co-exists with other internet related privacy laws.
How global websites are reacting to GDPR
The new law is designed to protect the data-related “rights and freedoms of individuals” in what is now a global online marketplace. Here’s the upshot: if you want to do business in Europe, you have to follow the rules and failure to do so can result in sanctions, including the possibility of hefty fines and, (for non-EU businesses), possible curtailment of your EU web operations.
Two contrasting examples highlight how global businesses have reacted to this:
The self-imposed European exile
Currently, if you try to access the LA Times website from the EU, a message tells you that it’s blocked while the organisation works on “technical compliance solutions” suitable for its EU market. A handful of other organisations have followed suit. If the European market represents only a small portion of your business, a cost/benefit analysis might conclude that making the changes necessary to get in line with the GDPR isn’t worth it.
That said, for the majority of businesses, market expansion is a top priority. “Going nuclear” and cutting yourself off from the world’s biggest and richest trading block is one option. Absorbing the changes you need to make and implementing them is likely to be a far more attractive way forward.
The roll-out of GDPR provisions for ALL your online customers
As India’s Economic Times highlighted, the arrival of the GDPR meant that many individuals in that country received a flurry of emails from Indian businesses, asking them to renew their consent to receive marketing communications.
Strictly speaking, there was no legal reason for this (GDPR only seeks to protect EU residents). However, organisations doing business in the EU needed to change their procedures to take into account the new law. And rather than limit these changes to their EU customer base, many have applied them across the board.
From a practical, administrative point of view, it’s likely to make far more sense to make sure that ALL your online customers feel the benefits of your GDPR changes. For example, not levying a charge for subject access requests and making it possible to transfer data from one controller to another make sense for a consumer centric organisation.
Through this approach, whether you are based in San Diego, Sydney or Strasbourg, your online customers are getting the same transparent appearance, along with reassurances that you are following data safeguarding best practice. Malware attacks and the likes of the Facebook data mining scandal make headlines across the globe; so as consumers become more ‘privacy savvy’, this approach could give you a valuable competitive edge.
Consent and online marketing: how to juggle GDPR and PECR
GDPR requires that you assess and establish a lawful basis for each personal data processing activity. For most online marketing initiatives (e.g. e-newsletters and email campaigns), ‘consent’ will be the appropriate legal basis to rely on for most businesses.
Meanwhile, a pre-existing piece of legislation, the Privacy and Electronic Communications Regulations (PECR) gives specific rules concerning marketing emails, text messages and telemarketing calls. A decision on how to use such marketing channels and stay within the law requires an analysis of both pieces of legislation.
To help you get to grips with this, our guides to marketing and b2b communications provide useful reading. The Privacy Compliance Hub provides even more practical guidance to its customers in what is a complicated area.
Check for regional privacy law variations
For the most part, the GDPR sets out a single data privacy framework, with the same rules applicable to individuals right across the EU. That said, there are a few areas where EU Member States have the discretion to set their own rules and procedures.
One such area relates to the minimum age at which children are deemed capable of giving consent to having their data processed. The majority of EU countries set this at age 13, although some (e.g. The Netherlands and Spain) have higher age limits in place. You should look at this especially closely if your online offering is geared towards younger users.
Healthcare and other types of sensitive data are most likely to be subject to regional variations. Health providers with an online presence both in the EU and US should also check out our guide to GDPR and HIPAA.
Juggling data minimisation principles with data retention requirements
From customer service chat facilities, through social media to GPS and behavioural information, companies with an online presence can very quickly build up vast quantities of personal data. The GDPR demands that you only collect what’s necessary for legitimate processing purposes and that you retain it only for as long as it is needed for those purposes.
Alongside this, the GDPR enhances the ability for individuals to request that their data be erased or transferred to other parties under certain circumstances.
If you operate in a highly regulated sector, you may also need to factor in specific rules that dictate record keeping. The Markets in Financial Instruments Directive (MiFID) is a good example of this. Applicable to firms engaged in investment activities, it demands that you retain a wide range of data and information, including marketing communications, details of complaints and transactions and transaction records.
If you operate under detailed data retention rules, you need a system for classifying different types of data as they are collected or created. In this way, you can identify what you need to keep (and for how long) – and what personal data can be earmarked for shorter retention periods. This approach makes you better able to balance customer privacy with your other legal obligations – and should also make it easier to respond to erasure/transfer requests with less hassle.
Your approach and its implementation must be documented and recorded which is made easy by using a comprehensive compliance solution such as The Privacy Compliance Hub.
Next steps
If you are interested in taking a look at a complete online compliance programme which enables organisations to stay on top of the GDPR and other EU-wide privacy legislation, request a demo to see how The Privacy Compliance Hub works – or call for a chat today.