Is Your Business GDPR Ready?
Does your business capture, handle, store, or share any kind of personal data, whether it’s for customers, staff or journalists? If the answer is yes, you’re going to be affected by the General Data Protection Regulation, or GDPR, which comes into effect on May 25th 2018. So is your business GDPR ready? If the answer is no, or worse, you have no idea what I’m talking about, read on.
What is GDPR?
In January 2012, the European Commission set out plans for data protection reform across the European Union, to make Europe ‘fit for the digital age’. Four years later, it agreed on what that involves and how it will be enforced. The result is the General Data Protection Regulation (GDPR).
GDPR is all about protecting personal information in the digital age. In the last few years, there’s been story after story of brands falling foul to data breaches. A data breach is any situation where an outside entity gains access to personal user data without express permission from the individual.
For example, in 2016, ride-hailing app Uber paid hackers $100,000 to keep quiet about a breach that exposed the data of 57 million customers and drivers. Another well-known breach hit email provider Yahoo! in 2013. Yahoo admitted that all 3 billion of its customers’ email addresses had been compromised. And Facebook is currently embroiled in a scandal involving Cambridge Analytica, a political data firm hired by President Trump’s 2016 election campaign. The firm allegedly gained access to private information of more than 50 million Facebook users and analysed it to identify the personality traits of American voters and influence their behaviour.
In all three cases, the brands were vilified by the media, they lost precious customers and it did some serious damage to their reputations.
How will GDPR affect my business?
The new data protection regulation will affect how you collect, store, record and process people’s data. And there are tough penalties if you don’t comply with the rules. You could be fined up to 4% of your annual global revenue, or 20 million Euros, whichever is greater.
Understanding GDPR and what it will mean for your business is a minefield, so here are a few key points.
A key theme running through the GDPR rulebook is consent. You can no longer assume people are happy to be contacted by you. They need to express consent in a ‘freely given, specific, informed, and unambiguous’ way, which is reinforced by a ‘clear affirmative action’.
Specific to PR, this means ensuring every customer, journalist, producer or influencer agrees to you storing their personal details by way of an email explicitly saying ‘I consent to being contacted by you’, or a recorded phone call to the same effect.
A pre-ticked box that automatically opts them in won’t cut the mustard anymore. So no more ambiguous ‘please tick the box if you don’t want us to not send you information’. Opt-ins need to be a deliberate choice.
2. Right to be forgotten
This brings me on to another point. From May 25th, customers will have the right to withdraw consent at any time. Known as the ‘right to be forgotten’, once a request has been made, you’ll have one month to remove every single piece of data you hold on them, across the whole organisation, or face a serious fine.
Search engine giant Google has already received requests to remove at least 2.4m links from its search results, under the ‘right to be forgotten’ rule.
3. Data Focus
Are you guilty of collecting more data than you need? Ask yourself, do you really need to know a journalist’s household income before they can download your press kit? Probably not.
GDPR requires you to have a good reason for collecting personal data. So it’s good practice to look at what data you’re asking for and make sure you have a good reason for collecting it. If you really need to know a reporter’s shoe size and can prove why you need it, then you can continue asking for it. Otherwise, stick to the basics.
4. Data breaches must be reported within 72 hours
Under the new rules, if you do suffer a data breach, you must notify the Data Protection Regulation Agency within 72 hours of becoming aware of it. Failure to do so will cost you dearly.