GDPR: time to think again about how you deal with data
The last time data protection laws changed significantly in Europe, Nokia had only just introduced the cutting-edge technology of text messages. That was as smart as a phone could be. Google wouldn’t be founded for another three years. Mark Zuckerberg had barely started programming. And only 0.4% of the world’s population used the internet.
That was in 1995 and, as you might have noticed, a lot has changed since then.
Today 51% of people have internet access. 40% have social media profiles. The amount of personal information shared on a daily basis is astronomical – and, as we have seen numerous times recently, this information can be used in ways we just couldn’t have anticipated all those years ago.
A revolution in data privacy
Now all that is changing. On May 25th 2018, the General Data Protection Regulation (GDPR) will seriously overhaul the rules on how organizations handle information, reflecting the 21st century reality of search engines, social media, PPC, and biometrics.
It’s important to note: this is not a tick box exercise. Instead, it’s a demand for companies to totally rethink their attitudes to data.
But, if you get it right, it’s also a chance to strengthen your relationship with customers. At the heart of the regulation is a requirement for organizations to practice ‘privacy by design and by default’. In other words, data protection principles should be embedded into the everyday culture of business, rather than as an afterthought.
The outrage caused by Cambridge Analytica’s (mis)use of Facebook data in connection with, among others, the 2016 US Presidential Election demonstrates how dangerous a lack of transparency around data usage can be – both to reputations and finances.
An opportunity, not just a challenge
But there’s more to this than avoiding a PR nightmare. GDPR can be a net positive for people with something to say, something to sell, or something to change – because noise will go down and trust will go up.
Ocean.io’s COO & Co-founder, Michelle Heiberg, has some simple tips for making the most of the new regulations:
- Talk to people who want to be talked to.
- Market to people who want to be marketed to. Be relevant, personal and anticipate needs. It sure beats spam – and remember, it’s not you but the recipient who decides what’s spam and what’s not.
- In two simple words: be relevant.
Embrace these insights, and she believes you can successfully avoid the hit and run low-yield spam that marketers have backed themselves into and engage much more profitably with your customers.
Oceans of advice
At Ocean.io, our business is data. We believe that transparent information makes us all work smarter and that isn’t just a slogan to make us sound good – we’re proud to have been GDPR-compliant for some time now. And now we want to help you be certain you’re GDPR-ready too.
Here’s a simple step-by-step guide to get you started, if you haven’t already.
The most important thing, as I said earlier, is that you have to practice ‘privacy by design and by default’, not just tick a few boxes.
What data do you need, why do you need it, how are you going to use it, and how do you make sure that your reason is valid in the context of GDPR?
This checklist will help you make sure you’ve got your approach right.
This is a great self-assessment tool to confirm which areas you need to cover and how.
This is a handy overview of the differences in GDPR regulations for Small Businesses (defined as a company with under 250 employees).
Why it matters
European companies can’t avoid GDPR (and even though the UK is leaving the EU, it has pledged to maintain GDPR regulations in the long term), so it’s something that is worth taking seriously. But you can – like us – make it work for you and your customers. The challenges are pretty significant, but they’re matched by the size of the opportunity to change the culture around data usage for the better.
In the next few weeks, we’ll be publishing more on the crucial aspects of GDPR for Small Businesses, including advice from experts in HR, marketing, law and other areas. So keep your eyes peeled!
The nitty gritty
As you’ve got all the way down here, you deserve a handy summary of the need to know technical stuff:
- GDPR (Regulation (EU) 2016/679) aims to harmonize data protection legislation across EU member states, enhancing the privacy rights of individuals.
- It applies to organizations processing personal data that have an establishment within the EU and also those organizations that operate outside the EU but offer goods or services to, or monitor the behavior of, individuals in the EU.
- GDPR is applicable from 25th May 2018.
Overall, GDPR provides the following rights for individuals, many of which apply whatever the basis is for processing (although there are some exceptions):
The right to:
- be informed how personal data is processed
- access to their personal data
- restrict processing
- data portability
- Rights in relation to automated decision making and profiling
At the heart of all this, according to Michelle, is that “you need a reason to process the data – called ‘the lawful basis for processing personal data’. The lawful basis for your processing of data affects which rights are available to individuals.”
All these 6 lawful bases in the graphic just above are equally valid. You must be clear and transparent about which lawful basis you are using, because different lawful bases give rise to different obligations under the GDPR and you must document and keep a record of which lawful basis you have chosen for your different processing activities.
If you start by asking yourself why you need the data, you should automatically arrive at the conclusion of which data you need, how long you need it, and what the lawful basis is.
Never fear, start moving towards GDPR compliance today with these 6 easy steps:
- Know what you have, and why you have it
- Manage data in a structured way
- Know who is responsible for it
- Encrypt what you wouldn’t want to be disclosed
- Design a security aware culture
- Be prepared – expect the best, but prepare for the worst