On May 25th 2018, the General Data Protection Regulation will come into effect. Meant to protect the personal details of residents of the European Union, this text aims to standardise personal data regulations for all countries within the EU.
Starting in May 2018, the majority of market players will need to change their personal data collection systems to conform for this new European regulation. ‘Any information related to a natural person or ‘Data Subject’’ constitutes personal data, including name, IP address, localisation details…
Whether you are a small, medium or large company, the GDPR applies to all companies that work with data, no matter the sector. As we are now only a couple of months away from when it takes effect, here are 5 changes to take into account to conform to this new regulation.
Put a double opt-in in place
From May 2018, companies will no longer be allowed to send unsolicited emails to internet users. They’ll need to put a double opt-in system in place for their email campaigns, to clearly and explicitly inform users about data collected and get their consent.
The first opt-in will take place when the individual fills in the form where you’ll explain the reason for the collection of their emails. Once they’ve accepted this step by ticking the box, the second opt-in occurs with an email confirmation in which the person accepts to receive information that they agreed to during the first opt-in. It’s at this point that they’re added to your database. For clients already saved in your database, you’ll need to send them personalised emails to receive their permission to continue to contact them.
While this double opt-in is sure to slow down the acquisition of new clients, this set up will allow companies to have a more qualitative database, which will lead to a consolidation in the market.
2. Adjust your cookies
As a website owner, you already have to tell users when cookies are put in place to collect information on their browsing (example: ‘This website uses third party cookies to obtain statistical information to do with browsing. If you continue to use the site, we will assume you have accepted the use of such.) However, currently users do not click on an ‘ok’ or ‘I understand’ button even though when they visit another page on the site, cookies are downloaded.
With this new regulation, the cookies procedure will be reinforced with the installation of new, more detailed accept buttons. Therefore, users will be able to control all of their cookies and will no longer be able to access the site without having accepted cookies by clicking on a “Allow or Refuse” button.
3. Managing data
For users who don’t want their data collected, companies will have to encrypt them. This pseudonymisation consists in replacing a username by a pseudonym, so that the individual’s information remains secret.
Moreover, if your site’s visitors accept their data to be collected, they will also have the right to have it erased as well. Which means they’ll have the right to ask for the complete removal of their customer data collected on your platform, if need be, to keep complete control of their own data.
4. Prospecting by email under certain conditions
With the GDPR, companies will no longer be allowed to send prospection emails to their clients (whether B2C or B2B) if they do not have specific consent on their part. This explicit consent also applies to mailing lists or business cards collected during tradeshows.
5. Collaborating with ‘compliant’ companies
This regulation is not just limited to your company. You will also be responsible for the misuse of your data by the providers with whom you collaborate. It is therefore important to surround yourself with ‘compliant’ partners, to ensure the correct application of the GDPR.
Furthermore, to oversee this regulation, it is highly recommended to have a Data Protection Officer who will need to inform and advise the company and its collaborators. To prove your compliance, you will need to put a number of actions in place (such as those listed above) and prove that you are providing data protection in writing.
In the event non-compliance, your company is liable to a fine of 4% of its annual worldwide turnover or €20 million, the highest amount that will be taken into account.