Even though you might have seen the acronym GDPR more frequently in the media and social networks, it’s possible that you don’t know exactly what it means.
First of all, GDPR is the acronym to General Data Protection Regulation. Basically, the GDPR is a new European regulation that aims to secure all of our personal data that can be collected, stored and used by companies or public institutions.
Its purpose is therefore to protect European citizens. After some polemic cases involving data, it wasn’t very clear how companies would deal with the information about people in general.
But if you are a company or have business in Europe, you might be a little worried.
This regulation, which came into force in May 2018, is itself a (very) broad subject. As a result, everyone can get lost and does not even know where to start.
In order to simplify this heavy subject (and which is not necessarily hyper funky), Let’s Cloud team decided to launch a series of articles to help you identify different aspects of the GDPR and, in particular, the marketing aspect of the thing.
This first article will bring an easy formule, answering 5 of the basic WH questions…
1- What?
2- Who?
3- What to do?
4- When?
5- Which sanctions?
What is GDPR?
General Regulation on Data Protection = GDPR. Well, I think we have already mentioned it.
What you need to remember from the name are these two notions:
- data protection = set of measures aimed at securing the personal data of every European citizen
- European regulation = unlike a European directive (where each country acts as it wants in the end), a European regulation is a binding and applicable regulation by ALL member states of the European Union. Which means that no one will be able to escape!
But what exactly is personal data?
Personal data is any data that a company, organization or public institution holds about you.
This can range from a simple e-mail address to your first and last names. As well ass for more “sensitive” data such as a driver’s license number or your credit card numbers.
This regulation aims to set new standards in terms of security of our data in connection with recent cyber attacks.
Specifically, each user, subscriber, customer must be informed since the collection, processing, storage and use of its data and must be able, at any time, to exercise its right to modify, demand portability or the total deletion of its data to arrive at a real “right to be forgotten”.
Who?
If you think that only the giant technology business are involved, you may be wrong. Moreover, that’s the part we should all be worried about.
Every company, European or not, that deals with data through online databases containing European citizens’ data must comply with GDPR.
It’s not only true to customer data, but also to employee data, for example. Which implies that even the small and medium businesses are involved too.
Example: Do you use a CRM to manage your customers and invoices? Do you have a database of your clients and prospects, especially for sending your newsletters or commercial offers? Do you use an online payroll tool for your employees?
So you are concerned !!
What to do?
It all depends on the size, scope and most importantly, the amount of data that passes through your business.
We will see this subject on a later post, but here it goes some items to observe:
1- obtain the systematic consent of any person giving you access to his personal data. Concretely, each person who will leave you, for example, only his e-mail address (to subscribe to your newsletter) will have to give you his explicit consent, that is the permission, to use these data within the framework of your sending of marketing e-mails, but also commercial.
Example: if you offer a free guide download on your website, during registration (and therefore the collection of information) you must inform and get consent to receive your newsletters later from any person. Such consent is also to receive your commercial offers by e-mail.
2. Provide all information to anyone giving you access to their personal information (via a link to another page of your site).
You must clearly and accurately explain your entire process of collecting, processing, storing, and using this data.
3. Guarantee prompt access to a right of modification, portability or deletion as soon as possible to any person whose personal data you hold.
4. You will also need to ensure that all of your third-party partners or tools involved in the processing, storage, or use of this data are also in compliance with the RGPD.
Ps: If your company processes data on a large scale (especially if you collect and use user data or if you have a lot of employees) or if you represent a public institution, you must also appoint a DPO (delegate to data protection) who will be in charge of all this part there within your company.
WHEN?
Now you surely know that you are concerned by the GDPR for your business.
Know that time flies! Indeed, the GDPR has came into effect on May 25th, 2018.
That means from May 25th, any company must be able to provide proof of compliance with the GDPR. Otherwise, know that the European Union has already provided for sanctions.
Which Sanctions?
In fact, what sanctions are applied in case of nonconformity and therefore non-compliance with the GDPR?
Speaking of sanctions, they can result in fines of up to 4% of global revenues AND up to 20 million euros for the most serious offenses.
For example, for an SME that makes 250.000 € of turnover per year, this can represent a 10.000 €-fine …
Each country has its own way or instance of charging and fiscalizing this subject.
