The heart of the GDPR is about consent. Here’s what you need to know.
Here are the facts
On the 25 May 2018, the EU’s European General Data Protection Regulation (GDPR) will come in to force. As it’s an EU regulation, the GDPR will automatically take effect without the need for it to be locally implemented by member states.
The GDPR applies to businesses who offer goods or services to ‘data subjects’ (people who hand over data in return for services) within the EU as well as those who monitor the behaviour of data subjects in the EU. It applies to data controllers as well as data processors. In short, it’s all about data.
Let’s cut through the noise
Does the GDPR apply to your business? Most likely yes.
If you do any business in the digital economy and if your website ‘profiles’, or ‘tracks’ users, or if you have customer emails, then the GDPR is relevant to you.
What’s the aim of the GDPR?
The GDPR’s purpose is quite noble, namely to put control of personal data back in the hands of the customer.
The GDPR creates a single set of data protection rules, rather than the legal maze built by 28 different EU member state laws.
What is the first thing I should do?
Giving power back to your customers requires you to look at how you collect data, what you collect and how you use it. In other words, you need to have a comprehensive understanding of your data practices.
This sounds complicated
Not really. The heart of the GDPR is about consent.
You must make sure your customers have a good experience if they hand over their data to you.
To make the consumer experience positive, businesses will need to provide a simple and easy-to-use solution that tells the customer what its data practices are. You must tell them what their GDPR rights are – such as the right to be forgotten, the right to access the data, to correct or take their data, and the right to object to ‘profiling’, amongst other important rights.
Remember – the customer will have full control over the data they give you. Not you. The customer.
Consent, consent, consent. Repeat after me …
Consent under the GDPR must be freely given and needs to be front and centre before any customer profiling begins. It’s important to note that valid consent is also dependant upon the customer being able to withdraw it at any time.
The most important thing you can do?
Give your customers the information they need to make an informed decision that is best for them. Do this, and you’ve got the consent bit sorted. If you get the consent bit right then, you’ve gone a long way to complying with the GDPR.
Don’t drop the ball
Regulators will enforce the consent part of the law first. Why? Because it’s what they can see without having to dig and the penalties for dropping the ball can be up to 4% of your global turnover or €20 million.