Making Sense of the GDPR for Your Business

Illustration of hand signing documents

The GDPR. You’ve probably heard rumors and seen headlines about it over the last few months. Do you really need to pay attention or is just some legal mumbo jumbo cooked up by bored politicians?

GDPR compliance

The answer to that question is the ever so infuriating: “it depends.”

But don’t worry!

We’re here to demystify the confusion surrounding the new GDPR law.

By the end of this article, you’ll know exactly what it is, how it could affect your business and what you can do to ensure compliance.

And we promise to spare you the highfalutin legalese. We’ll just give you the cold hard facts in an easy-to-digest kind of way so that you can quickly learn the information you need and get on with running your business.

Sound good? Let’s do it.

So, what is the GDPR?

Let’s start with the basics. The GDPR (General Data Protection Regulation) is a new regulation that governs the appropriate use of the private information of all EU (European Union) citizens.

The regulation was first adopted in April of 2016 and now, after a two year transition period, will become enforceable on May 25th, 2018.

The purpose of this new regulation is to give individuals greater command of their personal data.

This includes any and all information your company might be in possession of such as customer pictures, addresses and even Facebook posts.

Basically, if your business is located inside the EU or serves a customer base that is, they will now have much greater control over the way your company is legally allowed to use their personal details.

Power to the people!

Failure to comply with the GDPR could result in seriously severe financial penalties of up to 4% of your company’s total revenue or 20 Million euros, whichever amounts to more.

So we suggest full and complete compliance.

What Makes the GDPR Different From Previous Data Laws?

Ok, we know what you’re thinking, “Data regulations are nothing new. Do we really need another law telling us how to handle our customers’ information?”

We’re sure many different people have varying views on the matter, but they’re all irrelevant.

The GDPR is happening.

You just need to know how it differs from the previous directive so you can assess whether your company needs to make any changes.

And speaking of the previous directive, the GDPR replaces the “1995 Data Protection Directive“, which has been in effect since, you guessed it, 1995.

Now, let’s cover the differences:

  • The Scope: The first, and arguably most significant, change you’ll see pertaining to the new GDPR law is the size and scope. This new regulation applies to each and every company that processes the private data of EU citizens — regardless of where you company is physically located.

Which means even the grimy little programmer building apps in his mom’s basement, if he sells said apps to customers in the European Union, must comply.

Personal data, as defined by the GDPR, is anything that can be used to identify your customers, both directly and indirectly. As we mentioned previously, this includes personal addresses, photographs and social media posts.

  • Customer Consent: Your business is required to ask for and receive explicit permission from each of your customers before using their private data in any way.

The GDPR also states that requests for such consent must made in clear terms, easily understood and using plain language.

So check that legalese at the door and make sure your customers know exactly what they’re agreeing to.

  • Erasure Rights: The Right to Erasure, AKA the Right To Be Forgotten, ensures your customers have the ability to request — at any time — that their data be expunged (erased) from your records.

This could be because of irrelevance or a withdrawal of consent. But the point is, ultimately, your customers control their data, not your company.

  • Breach Notifications: There’s a lot of no-good crooks out there and data breaches happen.

If your company falls victim to an attack of this kind, the GDPR requires that you notify all affected individuals within 72 hours of first becoming aware.

But wait! There’s a stipulation: Article 33 states that your company is only required to inform customers if the breached data is likely to “result in a risk for the rights and freedoms of individuals.” If that’s not the case, feel free to keep those breach details on the downlow…

  • Information Rights: Under the GDPR, your customers have the right to know how and why their private information is being processed and used by your company.

And in order to stay compliant with the new regulation, your organization must be prepared to answer all requests for such details in a timely manner.

Additionally, the answers you provide must be transparent, easily understood and always cost free.

  • Portable Data: In the event that a customer of yours decides to use the services of another provider, the GDPR mandates that your company accommodates any requests for the transfer of their personal data.

It may hurt watching a customer leave your service for a competitor, but we guarantee a hefty fine for not complying with the GDPR data portability requirements will hurt a lot more.

How to Ensure GDPR Compliance

Remember, the GDPR only applies to businesses either located in the EU or with customers who live in the EU.

If neither of these factors applies to your organization than neither does the GDPR regulation and your company won’t need to make any changes. Go forth in peace.

If your company does do business — in any way, shape, or form — inside the European Union, here’s what you need to do in order to ensure your company’s compliance:

#1 First, if you plan to use a customer’s private information — for any purpose — be cool and ask for their consent BEFORE actually using it.

It’s the law now and, honestly, it’s just the right thing to do anyway. So keep it on the straight and narrow and get permission. If a customer withdrawals their consent down the road, honor that request.

#2 Also, institute company wide policies to better facilitate customer requests for information and efficiently notify your customer base of any data breaches that could result in their harm.

#3 Finally, if a customer decides to move on, they have the right to take their data with them. Honor any and all requests to transfer customer data to other providers if asked.

Wrapping Up

Boom! You made it through and are now a bonafide expert (at least in our book) on the new GDPR law. Feel free to brag about it to everyone you know.

If your business operates within the European Union, you’ll likely need to make a few changes to the way you acquire and handle your customers personal data.

And we recommend making these changes ASAP.

20 million euros is quite the princely sum.

Fortunately, assuming your company hasn’t been dealing in shady data practices, the changes should be fairly simple to make.

So make them. Then you can get back to dominating your industry like the boss we know you are. Good luck!

This post provides general advice about the GDPR and how companies can comply with the new regulation. Toggl is not a law firm and Jacob Thomas, the author of this post, is not an attorney.

Though we’ve done our best to ensure the accuracy of the information in this blog, we recommend you consult a lawyer in regard to actual legal advice pertaining to the GDPR.

May 22, 2018