It was the year 2017, Anno Dominae, and the (digital) world (as we knew it) ended in a thunderstorm of regulations that left everyone dazed, confused, and downright frightened. EU GDPR compliance was becoming a reality.
Same as Google’s Mobileggedon and a hundred other digital storms, GDPR came on the announced date. For the vast majority of businesses, the GDPR legislation entered the world without much of an impact (aside from the general hysteria that preceded it).
For those that got lost among the web of well-meaning intentions and suggestions in the cyberspace, things didn’t go as well. To date, ultra-large companies are facing stingy GDPR penalties for not following what has now become a pretty comprehensive collection of GDPR best practices.
Here we are, more than two years later, looking back at what was once a perceived nightmare and finally able to draw some conclusions.
What are they? What are the GDPR compliance lessons and best practices now that the dust has finally settled, and we can use actual, real-life examples of what’s been going on since 2017?
Read on and find out more.
First Things First: GDPR, or The European Privacy Laws
It doesn’t quite matter what position you hold in your company. It doesn’t even matter if you work, to be honest.
Chances are you have heard about at least one GDPR rule because two years ago, every single business in the European space wanted your agreement to them holding and using your data.
Happenstance or not, GDPR coincided with Mark Zuckerberg’s trial in front of the US Congress, a scandal that had erupted in the post-Cambridge Analytica outbreak.
All that seems ancient history by now, but back then, data protection was on everyone’s lips. If you were in the EU and went to your local drugstore, there was a high chance they asked you if your personal data can be used for marketing and promotional purposes. As for your email inbox, we’re pretty sure it felt like an avalanche of
- Please stay with us
- We beg of you, click on Agree
- We will continue to provide you with awesome discounts if you do it
… and all variations possible.
GDPR compliance seemed like the nightmare of every marketer in the world – a monstrous three-headed watchdog guarding Europeans’ rights to be, well, private.
In reality, the official EU GDPR guidelines are less dense than most people realize: only a handful of general rules on the official site (all of which are expanded, in detail, in the official GDPR legislative document – a bushy legal document you do have to read and abide by).
In a nutshell, the GDPR says this:
- GDPR applies to all companies that process data coming from customers who reside in the EU
- Penalties are painful: up to 4% of the annual global turnover or 20 million Euros (whichever is greater)
- Consent must be asked for, and it must be asked for in a way that is easy to understand. No more gibberish Terms of Conditions people want to scroll to the end of and click “I accept the terms and conditions.”
- Breach notifications become mandatory in all EU states, and they have to be sent out no later than 72 hours from the moment the company has become aware of them
- Subjects are entitled to ask companies whether or not their data is stored. They are also entitled to ask for a copy of all the data stored about them
- Subjects have the GDPR Right to be Forgotten – meaning that they can request the deletion of all the data associated with them
- They also have the right to have their data transmitted to another data controller
- Every company must have a Data Protection Officer appointed by precise standards
This is the abridged version. The long version involves a myriad of versions on what you should do in every situation. A couple of examples, just for the sake of exemplifying (and so that you can see in what :
- The official General Data Protection Regulation document dedicates an entire chapter on what should happen when data is transferred to third countries or international organizations
- The same text also forbids the processing of personal data regarding ethnicity, race, political opinion, religious beliefs, philosophical beliefs, trade union membership, genetic information, biometric information, health, sex life, or sexual orientation. As per Article 9 of the General Data Protection Regulation Act, there are about 10 exceptions from this rule, including (but not limited to):
- You have the subject’s explicit consent to process this type of data
- You need to process the data to protect the vital interests of the person in cause, but the person is not physically or legally able to give consent
- You need to process the data for legal purposes (to exercise or defend legal claims when a court is requesting it).
Of course, these are just examples. Again, we strongly encourage you to read the full document and ensure that your company abides by all these rules. As pointed out before, the fines can be quite hefty (!).
GDPR Compliance Explained: Two Years, Five Months, and a Couple of Days
By the time you get to read this, it will have been two years, five months, and a couple of days since GDPR came to be.
It is fair to say, then, that we have learned our GDPR compliance lessons. There’s still a lot more to go, sure, but 29 months has been quite enough for everyone to gain a full understanding of what the best GDPR tips are.
1. You’re Never too Big
If you think you’re running a large company and you cannot possibly be affected by GDPR, think again. Some of the largest companies in the world have been affected. And we’re not discussing old-school mammoths, but companies that are active in the digital field.
Best example (or worst, depends on how you look at it)?
Google was fined no less than 50 million Euros in France for failing to comply with the General Data Protection Regulations.
If you think this was an isolated incident, check out the list of GDPR fines so far (each of them is a GDPR compliance lesson in its own right). Also, keep in mind that, according to a Mayer-Brown whitepaper written after the first 100 days of GDPR, regulators have been focusing on catching the “big fish” first (which is definitely not to say that you are out of the scope if you’re a small player, especially now that it’s been two years since the EU privacy laws came to life).
2. It’s Never Just about You
The world we live in is built on a foundation of intricate data connexions (for more on this, check out our Big Data series on Dataism, the Big Data Pyramid) This means that it is never enough to ensure your company complies with the GDPR legislation.
One of the most important GDPR compliance lessons is that you should pay close attention to whom you work with as well, especially in the data processing sector.
Likewise, it means you should train your entire organization to protect themselves against potential data breaches. You’d have no idea how many people still click on dubious links that land in their Spam folder! And yep, they totally do it at work – because what are Mondays for, other than winning $1 billion on a contest you never participated in?
3. It’s OK to Just Remove Data You Don’t Need
If you have stumbled yourself into GDPR compliance just now (hard to believe you haven’t done it by now and still escaped the watchful eye of the GDPR regulators), start by assessing the data your company is currently holding.
Do you really need all of it?
Maybe it’s time for a (fall) cleanup. It might just leave you with a bit of room to wiggle within the panic attack-inducing rules of GDPR.
4. Encryption Is a Must
Data encryption is not something torn out of movies now. It is a must. You need it.
5. A Knowledge Base Is a Good Idea
GDPR and GDPR compliance are still in their infancy, and there’s a pretty high chance the US and the rest of the world might follow in with their own set of regulations (fun, fun, fun!).
As such, having a Knowledge Base to help you document everything you have learned and done so far will definitely help in the future, regardless of whether or not the EU remains the only place on Earth thinking of its subjects’ data protection.
6. Your DPA Is Watching
And everything you say can and will be against you.
Maybe not a good idea to take the Data Protection Agency officer out for drinks and convince him/her your company is totally safe. We all know what happens after a couple of drinks.
Joke aside, DPA communication has to be done very carefully, so make sure you choose your words cautiously. Even if you are 100% in order with your GDPR compliance, you probably still don’t want to launch an investigation.
7. Crystal. Crystal Clarity
When you communicate with your data subjects, they need to understand what you are saying:
- Use simple words, no fancy legal terms and tongue-twisting syntaxes.
- Make it easy for them to understand where their personal data is going and why.
- Don’t let them scroll for too long, keep it short and sweet (or, well, as sweet as this topic can be to anyone).
We could pull together an entire compendium on what happened since GDPR was enacted. But these are the absolute basics you should keep in mind. As a general rule of thumb, transparency, data protection, and clear communication are the three assets you must hold on to as if your life depended on it (because it probably does).
In a world swirling around data, your GDPR compliance plan needs to be right on point, to a fault. It’s not even about the monster in the closet, trying to “catch” you spilling the data. It’s about the very sanity of the world to come.