The issues of privacy and protection of personal data are a major concern for online consumers. According to a recent NCSA study, 92% of online customers cite data security and privacy as a concern. Many of them are convinced that companies do not store or use their data responsibly.
In response to this growing apprehension, the European Union decided to enact a single set of regulations to standardize personal data protection across the board. In May 2018, the General Data Protection Regulation (GDPR) went into effect, clearly stating how companies are permitted to legitimately process and transfer sensitive data. It is crucial to note that GDPR applies to any company that markets products or services to EU residents, regardless of where it is based. This means that enterprises based outside of Europe that do business with EU citizens are also bound by the regulation.
Key GDPR data clauses
Data protection requirements as required by the GDPR include a variety of specifications, but basically concentrate on several key issues:
- Active consent – Affirmative action from the individual allowing a company to possess and process personal data
- Right to be “forgotten” – An individual is entitled to demand the deletion of his or her personal data
- Right to know – An individual may demand access to the personal information a company has gathered and request clarification regarding how it is being used
- Data breach notification – Companies are required to notify individuals about data breaches within 72 hours
- Data transfer – Companies must ensure that cross-border data transfer is accomplished securely
Stiff penalties have been enforced for non-compliance, sometimes reaching 2% or 4% of a company’s overall global turnover. Honda Europe was fined £13,000 for emailing subscribers who had opted out. The Morrisons supermarket chain was fined £10,500 for emailing all its loyalty program members regarding account updates, despite the fact that over 130,000 subscribers had unsubscribed.
While these penalties may sound ominous, a methodical approach to GDPR requirements not only ensures compliance, but in the long run also generates trust in your customers and enables you to engage with your real target audience.
Here are several tips that will help you remain compliant and even improve your bottom line:
- Bring in a data protection officer
GDPR compliance can be complicated and may prove to be dynamic as companies go for new markets and customers seek access to data. Due to the fact that data may be gathered through various channels, it makes sense to have a single entity in charge of all data collection and use across the company.
- Ensure ongoing data mapping across the board
Data mapping under GDPR is an ongoing process. Keep track of where your data is coming from and where it is going. Make sure to delete unnecessary data, and constantly monitor and update your data security protection measures.
- Monitor your mailing lists
The GDPR requires you to obtain an opt-in consent from recipients before sending them marketing emails. Buying email lists for marketing campaigns can incur penalties. Ensure that your marketing automation system and your CRM database are synchronized so that all email users that have opted out have been deleted completely.
- Request only necessary information
When asking customers to fill out forms, request only necessary data. Minimizing data requests serves a double purpose – it helps you comply with GDPR requirements and also prevents abandonment. Customers are put off when asked to fill out long forms, and become suspicious when asked to provide too much personal data.
GDPR isn’t going away, and there is reason to believe that additional data privacy regulations will soon be enacted both in Europe and in the United States. Companies would do well to rethink their data protection strategies and implement the necessary steps to ensure data privacy today.