The GDPR and You: What You Need to Know
The General Data Protection Regulation (GDPR) comes into effect from the 25th of May, 2018. The GDPR replaces the current data protection framework provided by the European Union’s Data Protection Directive and completely changes the rules regarding how businesses handle the personal data of EU citizens.
As the GDPR is a European Union regulation, it is up to businesses to fully understand its terms and what they are required to do in order to comply, as failure to do so can result in a penalty of up to €20 million or 4 percent of a business’s global annual turnover.
The following article examines what the GDPR entails, who will be affected and how you can ensure your company is in full compliance with the requirements.
It also covers what the GDPR means for Salesforce and the actions small businesses that use Salesforce should take in advance of May next year.
What is the GDPR?
The GDPR aims to both greatly improve the transparency, security and accountability of data controllers and processors, and enforce the right of all European citizens to data privacy.
Essentially, the GDPR’s key provisions provides for additional and stronger data protection rights for EU citizens, and also regulates how and what personal data is exported outside the EU.
The GDPR will be employed by all 28 member states of the European Union and will hopefully simplify the area of data protection and collection for all businesses and organisations operating in the EU.
The GDPR is designed to protect privacy data such as
- Basic identity information (name, address etc.)
- Web data (information, IP address, cookie data etc.)
- Health data
- Biometric data
- Racial and ethnic data
- Sexual orientation
- Political affiliation and opinions
While there are still a lot of unanswered questions about exactly what the GDPR’s provisions require, the Data Protection Commissioner has provided a document that highlights the four key concepts of the framework:
- Consent: You must be able to prove that a person gave you consent to lawfully process personal data
- Profiling: You must not use any form of automated processing of personal data to evaluate personal aspects such as a person’s health, location or economic situation
- Personal data breach notifications: You must notify the Data Protection Commissioner immediately in the event of a personal data breach
- Certification: It is strongly advised that you undertake the key certification activities set out by Articles 42 and 43 of the GDPR, as this demonstrates compliance
Who’s Affected?
The GDPR affects any business that processes or stores the personal data of EU citizens living in EU states. This includes businesses that do not have a presence in the EU but have access to the personal data of EU citizens. Specifically, you must comply with the GDPR if your business:
- Operates in an EU state
- Has no presence in the EU, but processes EU citizens’ personal data
- Has more than 250 employees (you must employ a Data Protection Officer)
- Has less than 250 employees but processes data in a manner that may pose as a risk to the rights and freedoms of persons
- Has less than 250 employees but processes data regularly
It’s important to remember that GDPR is not just an IT issue: the new framework will have an impact on many areas of a business, especially marketing, sales and any other activity that involves the targeting or contacting of customers via the Internet.
Who’s Responsible?
The GDPR identifies several roles responsible for ensuring a business is in compliance with all regulation:
- The Data Controller determines how to process personal data and the reasons for processing it
- The Data Processor is in charge of the maintenance and processing of personal data
- The Data Protection Officer oversees GDPR compliance plus the business’s strategy for data security
Depending on your business’s size, industry and use of personal data, you may be required to fill all three above roles. If your business is limited in size and does not regularly process personal data, you will likely have to appoint just a Data Protection Officer. It is essential that you identify what positions are required to ensure compliance, as failure to do so will result in substantial penalties.
What are the Penalties for Non-Compliance?
If you fail to comply with the GDPR you will be fined up to €20 million or 4 percent of your business’s global annual turnover, whichever is higher.
The GDPR is concerned with the right of EU citizens to data privacy, and naturally those in charge of enforcing will be on the lookout for any non-compliance, whether it be accidental or intentional.
As a result, it’s vital you begin preparing now for the launch of GDPR on 25th of May, 2018.
How to Prepare
As we mentioned previously, there are still many unanswered questions as to what exactly is required of businesses to ensure GDPR compliance. However, the following steps can be taken in preparation of full compliance:
- Map data: The first thing to do is map exactly where the personal data your business processes comes from, identify what the data is used for, where it is stored, who can access it and any potential risks
- Convey urgency: It’s extremely important that the urgency of this matter is conveyed from the top down i.e. stakeholders must be fully aware of what’s involved and the possible penalties, and management must ensure all departments fully understand any changes made to ensure compliance
- Appoint a DPO: You will likely be able to appoint a current employee working in a similar role as your business’s Data Protection Officer, or hire a virtual DPO to fulfil the role on a part-time basis
- Develop a data protection strategy: Most companies working in the IT sector already have some sort of data protection strategy, but this will need to be reviewed and updated where needed to ensure compliance
- Conduct risk assessment and identify means to mitigate risk: This is an important step as, if done properly, it will enable businesses to foresee potential data risks and identify means to mitigate said risks
- Ask for help: Outside resources are available for smaller companies who do not currently have the resources needed to ensure full compliance, and such resources will be able to guide you through the process and highlight any issues or factors you may have missed
Salesforce, Pardot and the GDPR
As you can imagine, the GDPR will have a big impact on how you use Salesforce. Thankfully, Salesforce is dedicated to complying with the GDPR and will assist Salesforce users in achieving compliance. Salesforce is currently updating its ‘products, contracts and documentation’ to reflect the new regulation, and has provided a free Trailhead training article designed to bring you up-to-date with the GDPR and its requirements. It is recommended that all Salesforce users complete the Trailhead article.
Pardot users can already start preparing for the new changes the regulation will bring by creating an opt-in field on their Pardot forms. Opt-ins will be required for any business affected by the GDPR, as you must provide EU citizens with the option to easily opt-in or opt-out of data collection and processing.
To create an opt-in field in a Pardot form, take the following steps:
- Create a new custom field with separate opt-in and opt-out fields, using a Radio Button type with ‘true’ and ‘false’ values
- In the Basic settings on your field, set Label to blank and Required to unchecked and click ‘Load Default Data’
- In Advanced settings, add a Description and fill it with info about the opt-in and opt-out process, check ‘Always display even if previously completed’, and leave all remaining settings unchecked
- The ‘true’ and ‘false’ values should automatically populate when you hit ‘Load Default Data’
- Finally, you should now segment your mailing lists by adding the new field rule, ensuring that you only contact persons who have opted in via the form
A New Landscape
The General Data Protection Regulation sets a new standard for data privacy rights and will transform the digital landscape. Up until this point, businesses that process personal data have had free reign to use and store this data as they see fit, but this will no longer be the case.
The European Union understands the importance of protecting personal data rights and so you should expect those in charge of implement and enforcing the framework to be quite strict in their assessment of compliant and non-compliant businesses.
However, educating yourself and your employees and following the necessary steps set out by the GDPR will ensure full compliance and the avoidance of penalties.