It’s been well over a year since GDPR was introduced, and France, Greece, Romania, Sweden and the UK have all seen the first casualties of non-compliance. As EU organizations struggle to come to grips with the new legislation, we take a closer look at GDPR, what it is and why merchants can’t afford to ignore it.
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU law that came into effect on May 25, 2018. GDPR applies to the handling of any personal data processed within the European Union and the European Economic Area. It was designed to protect consumers’ personal data in the modern digital world. It gives them more say in what information companies keep on them and how it is used and shared – especially online.
GDPR requires businesses to get consent from the consumer before it stores their details. The introduction of GDPR was marked by a flurry of activity as organizations mailed customer contacts for permission to retain their existing data, while also allowing customers to opt out.
Secondly, GDPR protects consumers against data misuse. It stops organizations from collecting data for one activity and then using it for another e.g. saving an email to send a receipt and then using this to issue a newsletter or promotional offer.
Lastly, it sets out notification procedures that have to be followed in the event of a data breach, including informing customers and safeguarding their data from further harm. This includes a 72-hour breach notification requirement and process.
Why GDPR cannot be ignored
GDPR has the power to fine organizations that fail to comply. Fines can be up to 4% of a company’s ‘global’ annual turnover. If you are hit with a data breach, or other incident, how your organization responds can determine how severe the costs are, in terms of both public backlash and regulatory penalties.
It is best to always follow best practice in terms of consent, user and document management, security and response, to ensure you meet compliance guidelines and make sure you have a solid audit trail in place. That includes making sure any third-parties you outsource to are GDPR compliant too. If process and due diligence is not followed, then hefty fines are waiting. For example, the first big ‘headline’ fine was Google in France, who was charged €50 million ($56.8 million USD) for data misuse. Other smaller fines have been instigated across Europe, in many cases connected to data misuse. Interestingly if the Cambridge Analytics Scandal had occurred after GDPR was introduced, the fine they received would have been far more severe.
Why GDPR matters for businesses in the US
Although part of EU legislation, GDPR impacts businesses all over the world because it also covers the ‘transfer’ of personal data to countries outside the EU and EEA. This means GDPR doesn’t just affect European companies but any organization selling to, or holding information on EU consumers.
As momentum for similar consumer privacy regulations grows, other countries including Japan, Canada and Korea are looking to tighten data security. It’s likely that new standards will closely resemble GDPR. For example, we have already seen signs of this here in the US, with the California Consumer Privacy Act, which will come into effect next year.
At the end of the day, merchants should never put their brand at risk by ignoring regulations like the GDPR. Make sure you review your data protection strategy regularly and, if there is no formal process, don’t delay in putting one in place.