Have you been using a database to store customer data? If your answer is yes, you absolutely need to follow strict rules for consent management under the GDPR.
If you’re unsure where to begin, we’re here to show you. Let’s start with what GDPR is and who it affects.
The General Data Protection Regulation or GDPR (effective May 25, 2018) is a European data protection legislation that provides EU citizens better control over their data.
Consumer data may include:
Date of birth
Why should you care about GDPR?
GDPR consent management law introduces strict rules to protect consumer data throughout Europe. This is regardless of whether the data processing occurs inside the EU or outside of it.
The scope of GDPR is massive. For most business owners or managers, understanding every single GDPR article is a daunting task. Our goal is to explain the most vital parts of GDPR in plain language, so you can grasp it more easily.
Why is GDPR vital to business?
GDPR is a regulation, not a directive. This means that ignoring or misunderstanding these rules will result in hefty fines. To understand the importance of GDPR compliance, consider the recent data breach fiasco by big companies like Facebook, Google, and Equifax, the EU wants to give people more control over their data.
Non-compliance can land businesses in big trouble. The law calls for a hefty fine of 20 million Euros or 4% of the annual global turnover, whichever is greater.
How GDPR regulations work
Where customer data is stored
How companies must handle consumer data
What comes under the GDPR?
Personal data, privacy, and consent are the primary pillars on which GDPR stands. Therefore, businesses must understand the intersection of these components.
Within its 11 chapters and 91 articles, “personal data” has been mentioned more than 600 times in the entire GDPR document. However, for this post, we shall focus only on those aspects that relate to identifying, tracking, and security operations.
Here are the essentials that GDPR provides to consumers:
Right to access: Individuals have the right to access data and know where their data is used. Upon request, companies must provide a copy of the data, free of charge.
Right to data portability: Consumers have the right to transfer their data from one provider to another. Upon request, companies must make the transfer easily machine-readable, via a commonly-used format.
Right to delete data: Individuals have the right to erasure. This means they can withdraw their consent from a company and have their data deleted.
Right to be informed: Consumers have the right to know what information is being gathered. In case of a breach, they must be notified within 72 hours of confirmation of said breach.
Right to restriction: Individuals have the right not to let their data be used for processing purposes.
Right to correct the data: Individuals have the right to update their data in case the data is incomplete, incorrect, or outdated.
When is customer consent not required?
GDPR offers five instances when businesses can process customer data without the need for consent. These are:
Contractual requirement: When businesses deliver goods or services upon customer requests and consent may be a prerequisite. For example, an address is required by e-commerce shops for package delivery.
Legal obligation: Consent may not be required while processing a legal obligation, such as producing criminal records.
Vital interest: Businesses do not need to ask for consent if it involved protecting someone’s life. Vital interest may occur within the healthcare and insurance sectors.
Public interest: When government authorities, schools, and hospitals are performing official “tasks in the public interest,” consent may not be required.
Legitimate interest: Businesses are allowed to collect consumer data to process a legitimate request (like checking a customer’s age before purchasing liquor).
How to prepare your business for tracking customer data under GDPR?
One of the main components of GDPR is privacy. Hence, businesses should have a close look at what customer data they are handling and what should be the necessary steps to remain GDPR compliant.
Here are a few consent management considerations:
Know exactly what data you need from your customers and only collect that.
To get a clear picture of what you should, or should not keep, ask yourself:
Why would I need to save this data?
Why should I archive this data, rather than erase it?
Why am I collecting the data?
What’s more efficient: deleting or encrypting the data?
Prevent data breaches: Adopt the right security measures throughout your infrastructure to prevent data breaches. In case a breach happens, be sure to inform the authorities (and the individuals whose data you stored) about the breach.
Map your company’s data: Identify and document where your data comes from, what you want to do with it, and who can use it. Find out what risks are involved and learn how to mitigate them.
Define procedures on using the data: Establish policies on how data will be transferred, how will you get consent from customers in a legal manner, and how will you protect your customer in the event of a data breach.