By now, we’ve all heard about the GDPR and we’re aware it’s now in effect. However, just because you’re aware of these two things doesn’t mean you understand what it means to be GDPR compliant. Here, we’re going to break down what the GDPR so you can go further and determine whether or not your stack is compliant as well.
What is the GDPR?
The GDPR is a recently passed data protection policy for EU citizens that requires businesses to clearly outline how they’re using customer data. Privacy policies have to be updated to be more transparent and general business practices need to be aligned with these policies as well.
Let’s look more closely at some of the required policy changes businesses need to adhere to. You can find more of this information on EUGDPR.org.
Increased territorial scope
The GDPR applies to all EU citizens, which means any company, regardless of where they’re located, needs to comply with the GDPR. If you’re a US-based company with customers in the EU, you need to be GDPR-compliant.
“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.” This means you can’t use difficult language to understand in an effort to confuse your customers on how their data is used.
This should be a no-brainer on a moral level, but for those of you who would like to think twice about informing your customers when there’s a data security breach, you might want to reconsider saying nothing. If you don’t inform your customers of a data breach, you are not GDPR-compliant.
Right to access
This means if an EU-based customer asks what kind of data you have of theirs, you’re required by law to inform them what that data is and how it’s being used. Furthermore, you’re required to give them a free, electronic copy of that data.
Right to be forgotten
This is one of the more landmark rules of the GDPR. If an EU customer asks your business to delete whatever data you have on them, you must do so. The data controller must “erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”
Privacy by design
What this means is that you can’t just be transparent whenever an EU-based customer asks you for their data. You have to have a secure, compliant stack in order to not be penalized. This means your systems, software, and standard operations are designed to keep your customers’ data private.
Please note: “Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.” In other words, you don’t want to take any chances not complying with the GDPR.
How to ensure your stack is compliant
Now that we’ve broken down what the GDPR is and what it takes to be compliant, we can discuss ways to ensure your stack is compliant. Privacy by design is an important policy businesses need to be aware of if they’re worried they’re not doing enough to ensure their EU customers are properly protected.
Data mapping, to break it down simply, is the act of mapping out how data is used and moves about your business. Think of a data map like a site map. You want your customers to be able to see how exactly data is being used in an easy-to-follow format. The more transparent you are about your intentions, the more likely your customers will give consent to using their data. The more transparent you are, the less likely you aren’t complying with the GDPR. Another plus is that you can also see where there are potential red flags easier if they’re mapped out.
Switch to the Cloud
Switching to the Cloud can help to alleviate much of the pressure when it comes to ensuring systems and software are GDPR-compliant. Cloud-hosted providers host their own services, which means you’re off the hook when it comes to ensuring software is up-to-date. If your business uses on-premise CRM software, now would be a good time to make the switch. If you’re using standard telephone lines, VoIP phone systems and other hosted PBX providers. Doing this could potentially save your business money, which makes switching to the Cloud a win-win.
Revamp your mobile apps
You cannot forget about your mobile apps when it comes to the GDPR. Many apps require users to provide the app with tons of information that isn’t always necessary for the app to function. One way to ensure your apps are compliant is to create a form asking for explicit consent to use the minimal amount of data needed to make the experience worthwhile. You can also have a data controller build a data map in your app if you feel it will help to increase transparency between you and your customers. Don’t forget to encrypt that data too — including your backups. There’s no such thing as too much security anymore.
The final word
Understanding what the GDPR is can play a significant role in determining whether or not your stack is compliant. On the surface, it appears that there are a ton of moving parts to make your business GDPR-compliant, but in reality, it all boils down to transparency. Every part of your business needs to keep the customer’s best interests in mind, regardless of where your business is located. So long as you have EU-based customers, you need your site to be compliant. And as long as you’re clearly outlining how you’re using customer data, while adhering to the most current security protocols, you have little to worry about.
The nature of how businesses operate is leaning this way regardless of your opinions, and the penalties for not complying should be enough motivation to comply yesterday. Regaining the trust of your customers while making your website more transparent and secure is good business practice that will ultimately make your website stronger, faster, safer, and cost-efficient for businesses in the United States and in the EU.
Nick Campanella graduated from Queens College with an MFA in Creative Writing. He is a writer for GetVoIP who focuses on VoIP and CRM news and trends while putting a unique spin on omnichannel, customer support, marketing strategies, and the sales funnel.