GDPR – A comprehensive guide
The General Data Protection Regulation (GDPR) is a new data protection law in the EU that will come into effect on May 25th. You have probably received a lot of emails from companies who you’re your data on their file, asking you to agree to their new privacy terms. This can be quite frustrating and annoying when companies you have had contact with years ago suddenly make contact, but it is an important requirement and if you own a business, you will need to do it too.
Everyone seems to be getting into a bit of a frenzy about GDPR, but essentially it is just a new way to help consumers reclaim their data. It was created to protect EU citizens from privacy and data breaches which seem to be happening far more frequently. This law replaces the Data Protection Directive 95/46/EC from 1995.
Why is this so important?
When we get information about our customers and hold their data on our files – it is only borrowed. We do not own it and it does not belong to us. Your customers will place their trust in you that you won’t use their data against them. You may have information on your customers such as their name, address, date of birth, medical information, place of work, education and anything else – this is all important information which we do not want getting into the wrong hands.
What is the GDPR trying to solve?
The problem is that too many companies are exploiting their customers’ data. Businesses will sell email lists which means that these people get daily inboxes full of spam and irrelevant content which causes frustration and annoyance. Even if the customer opts in to receive content in the future, they expect relevant content and not mass produced, one-size-fits-all rubbish. GDPR is meant to protect these people and allow them to have a say in how their data is used.
How is this different to the current law?
The new GDPR is designed to give more rights to people and reduces the risk of information being exploited by companies. The GDPR also has stipulations over the amount of time that this data can be stored. Just because you bought one thing from a company ten years ago, doesn’t mean they can hold your details indefinitely. Because GDPR is a legal regulation, it is a compulsory requirement and will apply as a law in all EU countries. This means that any company handling the personal data of EU citizens must be compliant.
What happens if you ignore the GDPR?
Do not ignore the new regulations, because you will get fined. The harshest penalty is €20 Million or 4% of the non-compliant company’s annual global revenue. You really do not want to be getting fined for non-compliance, so it is important that you act now and take note of the new legal changes.
What do you need to do?
There are a few things you will need to do as a business about the new GDPR. This includes asking for the customer’s consent to hold their data. It also means that if there is a breach in security at your place of work, you are obliged to notify your contacts within 72 hours of this breach. Consumers will also have the power to ask how, where, and why their personal data is being used. You must provide them with a copy of their personal data in an electronic format free of charge if they ask for it. If they want to be forgotten, you must erase their data. In some cases, companies will be required to appoint a Data Protection Officer (DPO). This applies if you are a public authority, for instance.
You also need to change the way you collect data in the first place. Moving forward, you can no longer rely on a pre-checked box to collect consent for communication. You must now be more deliberate in the way they are opting consumers in. You will recall how some companies almost trick people into ticking the box for consent at the end of communications. They can phrase it ambiguously, such as ‘if you do not want to not receive communication from us in the future…’ This will no longer be acceptable under the new law!
You also won’t be able to use statements like “we may process your personal data to improve our services.” You need to be specific about what you are using their data for.
Where to start
As a business you might be wondering how on earth to start acting on this new law. Take for instance if you were a GDS hotel. We will use this example to see how in general you should begin to act on the GDPR laws.
Your hotel reservation system currently holds a lot of data on many different customers, current, lapsed and potential. GDPR applies to all new and existing data. In terms of your current customers with bookings in your system, the consent exists under an “existing customer relationship.” You need to think about how long the relationship could be considered valid in this instance – perhaps a month after their booking has elapsed? In terms of lapsed customers, bookings that have been and gone and you have had no other contact with the customer, you should not store any customer’s data without explicit consent. You can’t include them in email newsletters without their explicit consent. You will need to ask these customers if they are happy for you to continue emailing them. You will need to state how long for and why you would be emailing them – e.g. current offers or loyalty programmes.
Moving forward, you should store the act of consent and exactly how you worded this consent for the future. (i.e., this person checked this certain box at this date.) This is because you must prove consent before sending any communications to contacts and if checked up upon, you will need to be able to draw on the consent and information easily.
You should also keep records of the privacy policies on your system.
Some companies consider running campaigns to get their past customers to re-join their email lists. Incentives are a good idea. As a hotel, you may wish to offer a 20% off your next booking reward if you consent to staying on their email lists. If the subscribers feel that there’s value in what you are sending, they’ll give you their consent.