On May 25, 2018, the European Union Parliament enacted the General Data Protection Regulation (GDPR). As the name suggests, the new law is meant to regulate how individual and organizational data is stored, shared, and otherwise handled in our modern age.
The decision was met with a mixed reaction throughout the corporate world, but it was ultimately deemed necessary and appropriate by most. It is also important to understand that while the GDPR is exclusively a European Union regulation, it set an international standard which has been adopted by many other nations and international corporations.
So how does the GDPR impact modern business? To understand this, we will be defining General Data Protection Regulation, how the GDPR influences international business, GDPR’s impact on data regulation, and some high level ways that companies can become GDPR compliant.
What is the General Data Protection Regulation?
As per the official EU website: the General Data Protection Regulation “regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.” Limitations of this regulation exclude deceased individuals and information exchange which occurs in the private sector where “there is no connection to a professional or commercial activity.”
The GDPR is wide reaching for nations within the EU. Any data being held for commercial purposes will fall under its regulation.
Individuals and organizations protected by the GDPR have been granted certain rights to control their data as well. These include mandatory breach notifications, right to access, right to be forgotten, data portability, and more. We will review this in greater detail below.
GDPR Affects International Company Policies
While the General Data Protection Regulation is of course a European Union law, it also has an extended reach known as extraterritorial applicability. The GDPR protects consumers under the following conditions:
- The company or organization operates out of the EU.
- The data subject lives or is located anywhere within the EU, regardless of the company’s location.
- The GDPR protects data which was sourced or passes through the EU at any point, regardless of whether the data processing is being done in the EU.
As you can likely imagine, a law which governs a population of over 500 million Europeans impacts international business in a very real way. Companies from all over the globe must now comply with GDPR if they want to do any sort of business with an EU company or individual.
General Data Protection Regulation and the New Age of Data Protection
Data protection is more important than it has ever been before. How many user IDs and passwords do we all have floating around in databases? Thankfully, new laws like the GDPR aim to protect consumers in the following ways:
Clarity of consent for data usage: in the wild west of the digital age, terms of service sometimes read like War and Peace. The GDPR demands clarity of intent when it comes to data processing so users can know what they are agreeing to.
Breach notification regulations: if and when a data breach occurs, the GDPR requires companies to notify users with expediency and clarity. The law states that companies have up to 72 hours to report data breaches.
Right to access and the right to be forgotten: individuals are also given more rights to control their personal data, even after it has been willingly given to an organization. Individuals may request clarification of what data is being stored and how it is being used. They may also request to be forgotten and remove data processing altogether.
General Data Protection Regulation Compliance
Compliance with the GDPR is a difficult undertaking. Organizations must adhere to the regulations we have laid out above and more. However, a good place to start is by taking these three (3) steps as suggested by Forbes.com:
- Hire a Data Protection Officer. At least one Data Protection Officer must be appointed by each organization in order to become GDPR compliant. It is important to understand that an existing database manager or data scientist can be given this role, but it must be an official title.
- Create a data breach disaster recovery plan. DR plans for data-related problems are a requirement for GDPR compliance. Most organizations should have this already, but make sure that your DR plan adheres with GDPR specs including the 72 hour notification period.
- Keep detailed records of your GDPR compliance efforts. At the end of the day, complying with the GDPR doesn’t do your organization any good if you can’t prove it. Document your compliance procedures along the way.
Companies Rely on Clock Tower Insight for Data Protection Analysis
At Clock Tower Insight, we turn data into business solutions. By maximizing brand positioning, CX management, moments of influence, and more, we help build our clients’ brands in the short and long term. Clock Tower Insight believes that happy customers equal a happy business. We work closely with clients to tailor their brand from top to bottom in order to maximize positive image, exposure, and sales.
To learn more about how we may be able to help your business grow, read about our 15 plus years of focused experience working with brands such as Starbucks, Kraft, McDonald’s, and much more.