GDPR regulations

GDPR: What your company should know and do, starting now

Coming May 2018, the European Union will enforce a set of regulations designed to protect European citizens’ personal data. It’ll affect all companies that deal with EU citizens’ personal data, meaning that, yes, even your non-EU-based company will still need to comply.

Some countries, such as Germany, already have strict data protection regulations in place, though the GDPR brings a major boost for compliance: fines up to €20M or 4% of global turnover for more serious offenses. Significant changes are coming and some of them are not trivial to implement, particularly in more complex organizations.

We’ve rounded up some of the key things you need to know and be prepared for. First things first…

#1 —What is Personal Data?

"Any information relating to an identified or identifiable individual (data subject)",
is how the OECD defines it.

This includes (though not limited to):

  • Name, address, and unique identifying numbers (e.g., your social-security number);
  • Demographics — such as age, gender, income, or sexual preference;
  • Behavioral data — web searches, purchase history, and more;
  • Social data —who your friends are, your emails, etc;
  • Sensor data —biometrics, health tracking devices;
  • User-generated content — videos, photos, blogs, or comments.

The GDPR is only concerned with personal data which means that anonymized data is out of its scope. There’s an important caveat though: if data, even if anonymized, can somehow be tied back to an individual (for example, by combining multiple data sources and inferring an identity from that analysis), then this information can be deemed personal.

#2 — The Data Subject, the Controller and the Processor

procrssing data

A data love triangle

So in this case, your customers are obviously your data subjects; you are a data controller and Shopify and MailChimp are processors. We’ll delve a bit more on the implications of this later.

This is one example of the possible relationships between subjects, controllers, and processors. Many more are possible — controllers can also handle the data themselves and processors are often also controllers when, for instance, they manage their own employees’ personal data.

#3 — Data protection & accountability

with data comes great responsibility

As a controller, you’re responsible for the data you hold. This means that you need to take steps to protect it and be able to demonstrate them to Data Protection Authorities (DPAs).

In practice, you need to secure the data your organization holds. This can sometimes translate into military-grade encryption but can also entail tutoring your employees on data handling best practices.

Additionally, you need to make sure that the processors you use to handle the personal information your company controls effectively protect your data (even if those processors are also accountable under the GDPR).

The European Data Protection Board and national DPAs are expected to develop certification mechanisms for controllers and processors so you might want to be on the lookout for certified organizations that ensure compliance.

#4 — Consent is key

ask for permission, not forgiveness

We know, we know, that’s not how you say that.

Consent is one of the fundamental aspects of the GDPR. Companies will now need to obtain consent from their customers for every usage of their personal data.

And no, 250 pages Terms & Conditions aren’t cool anymore. Neither are pre-ticked checkboxes — consent is only valid if actively given. Controllers are also required to state in plain language the purpose of the usage of the data.

Moreover, subjects have the right to object to each purpose and can’t really be denied service based on refusal unless that usage is critical for the provision of a service (e.g., you do need to use your customer’s address to ship T-shirts, but agreeing to receive newsletters isn’t really that important).

Data subjects must also be able to withdraw consent at any time, preferably utilizing the same interface they’ve used to give it in the first place.

What can you do? If you have a website, make sure your users agree to everything you do with their data, and don’t forget to store that information. This might imply changing sign-up forms or checkout processes. There are already some tools that can help you do this, such as ConsentCheq.

#5 — Improved subject rights

GDPR’s bringing the power back to the people

The GDPR also grants a comprehensive & enhanced set of fundamental rights to data subjects. These include:

  • Right to be forgotten (or right to erasure) — subjects can request for their data to be erased when it’s no longer necessary for their original purpose.
  • Access & rectification — subjects must also be able to access their personal data and modify it.
  • Portability — controllers need to provide all personal data they have on a subject when requested, in a portable format. Interestingly, Google for example already offers this feature using its Takeout page.

Make sure your organization has the processes in place to enable these. Getting all the data from your users on a neatly packed .zip file might not be a trivial task.

#6 — Fines are a b!

As mentioned, this is likely the biggest driver towards GDPR compliance. Fines are grouped into two categories:

  • Penalties up to €10M or 2% of global turnover or
  • Penalties up to €20M or 4% of global turnover.

That’s huge!

Article 83 states that fines should be “effective, proportionate and dissuasive”. It also says that fines are discretionary rather than mandatory and are applied on an individual basis.

If you’re curious, you can read more about what offenses fall into each category here.

Summing it all up (or TL;DR)

The GDPR is coming, and with less than a year and a half to go, most organizations will need to go through some changes — and that’s not a whole lot of time.

Ignoring the issue is not really an option, given the business killer fines companies may face.

Here are some final thoughts:

  • Check how your company is storing personal data and ensure that the methods being used are iron-clad.
  • Adapt your customer touchpoints to support the subject’s rights, such as data portability.
  • Make sure everyone who handles personal data within your organization understands what these changes mean.
  • Choose the entities you share your users’ personal data very carefully, as a slip-up might dictate the end of your business.
  • If you already rely on 3rd parties to handle personal data, verify that these are already GDPR compliant or at the very least that they will be by May 2018.

The transition process should be fairly smooth for your online T-shirt business but can quickly get tricky in larger and more complex organizations that handle a lot of personal data in many different ways. Most of these will likely require a significant investment to ensure compliance. In a survey conducted with large companies (over 250 employees), over half had earmarked more than $100k towards compliance and 11% over $1M.

When in doubt, do seek professional counseling. The stakes are too high to risk penalties.

For more resources, check the awesome Bird&Bird Guide to the GDPR or the whole darn thing here or here.

Looking for VC funding? The process outlined

In his career, Martin Mittermeier, wattx' managing director, has gained insight into the VC world from different perspectives: Before founding Kyto, he worked on various initiatives at Project A, and shared this knowledge on the mechanisms of VC financing and startup funding with us.
Read the article 10 min read

Future trends in the AR-based consumer goods industry

For AR to be fully adopted into the mainstream, it will require a breakthrough application, like on-site navigating in unfamiliar surroundings, e.g. big commercial centers or large train stations. At the end of the day, the business case will decide.
Read the article 7 min read