Preparing for GDPR

The massive data governance opportunity from

the General Data Protection Regulation

What is GDPR?

The EU General Data Protection Regulation is European legislation that represents one of the biggest changes to data privacy law in decades and extends far beyond the borders of the EU.  It is meant to consolidate data privacy regulations across Europe, give businesses guidelines on the collection of customer data and give consumers control over their data.

Despite being based in the EU, GDPR affects companies worldwide.  As the world’s 2nd largest single market with over 500 million consumers and over $16 trillion in GDP (as of 2015), companies in the US, Asia and beyond have little choice but to comply.  In fact, 92% of US multinational companies cite GDPR as their largest data protection initiative, with 68% of those earmarking between $1 million to $10 million for compliance efforts.

As brand and data controllers, your organization will be held responsible for ensuring direct, as well as third-party, vendor compliance with both the EU US Privacy Shield and GDPR.  The law applies to any company, regardless of where it’s based, doing business in the EU or monitoring the behavior of EU citizens.  The deadline and enforcement date for GDPR compliance is May 25, 2018. Companies found in non-compliance are subject to administrative fines of €20mil or 4% of worldwide revenue, whichever is greater.

The deadline and enforcement date for GDPR compliance is May 25, 2018

What is GDPR and How Does it Impact My Business?

It is becoming increasingly important to understand how your data is being collected, where your data is going and who is using that data.

What is GDPR and How Does it Impact My Business

Data Governance as an Opportunity

The GDPR is another reminder of how little mastery marketers, and businesses overall, have over sensitive customer data whether that data is used for marketing or other purposes.

While many market leaders have adopted data governance as a strategic opportunity to improve marketing relevance and timeliness, the vast majority of companies are stuck managing data inside a single department or technology. Ironically, this new government regulation might be just the compelling event that will propel marketers to truly become data-driven by taking a unified approach to data, allowing for data security measures and increased marketing effectiveness simultaneously.

Given our unique position in the data supply chain, having Tealium as a trusted partner builds confidence in your business’ ability to appropriately and legally manage data, while significantly reducing your reliance on your digital marketing and analytics vendors to adhere to privacy standards.

12 Key Changes to Customer Data Protection Regulations – Implications

In addition to recommended steps to building your data governance strategy, here are 12 key facts and steps that you should take to prepare for GDPR:

1. “Personal Data” is Becoming Broader – The definition of personal data will be expanded to include genetic, economic, or social identity data.

2. Compliance Required for Companies Outside the EU – Any company, regardless of where it’s based, must comply with the regulation if it deals with an EU citizen’s personal data.

3. New Special Protections for Children’s Data – Parental consent will be required, so businesses will need to implement procedures to obtain consent.

4. Getting Valid Consent – Consent must be simple and clear. Silence or inactivity will not constitute consent.

5. Data Breach Notification Requirements – Placing a greater onus on data supply chains, all data breaches potentially harming individuals must be reported to regulators and the individual.

6. The Right to be Forgotten and Access Requests – Companies will have to give individuals access to data collected in a timely manner and requires that data subjects have the right to be forgotten.

7. Mandatory Privacy Risk Impact Assessments (PIA) – There will be conditions under which a PIA is mandatory in high-risk situations.

8. Privacy by Design – Privacy in a service or product must be built in from product conception and should only collect the minimum personal data possible.

9. Contractual Requirements – Data protection will need to be clearly documented and this could impact contract negotiations for risk and security considerations.

10. International Data Transfer Concerns – The regulation also applies to data processors, so there is risk in transferring data to countries outside the EU.

11. Data Portability – Businesses have to provide data collected to subjects electronically and in a commonly used format.

12. Introduction of the Data Protection Officer (DPO) – Some businesses will need to hire or appoint a DPO to oversee data security compliance.

Does Brexit mean UK companies
don’t need to comply with GDPR?

No. All companies that deal with the data of EU citizens, regardless of where they are based, are subject to enforcement and administrative fines of €20mil or 4% of worldwide revenue, whichever is greater. It is also unlikely that Britain will have exited the EU by May 2018 when the regulation goes into effect. There has been speculation that the UK will implement similar regulations after Brexit.

Data Governance Resources

To help get your data governance strategy in order, here are resources to help you take control of customer data security:

Papers

Browse our collection of data governance downloads to help you plan your strategy:

White Paper: Data Governance – How well are you protecting your data?

Download: 5-step Data Governance Checklist

Ressources

Helpful resources for data protection education and planning:

European Commission Directorate General EU Data Protection

UK Information Commissioner’s Office GDPR Overview

Need Help Trying to Figure Out What GDPR Means for Your Business?

Tealium’s solution consultants are knowledgeable and ready to help you strategize your data governance plan to help you get ready for GDPR.