Recently we have been inundated with news, concerns and even a new law on privacy and data protection that businesses must abide by regarding customer information.
In the wake of the now-infamous Cambridge Analytica scandal, many social media platforms have been scrambling to update their privacy policies. They have their reasons for doing so—after all, it’s in their best interests to convince users to keep trusting them with their data.
However, governments don’t always trust private industry to regulate itself effectively, and several nations have recently imposed new rules for how companies are to deal with sensitive customer information in the future.
Nowhere is this currently more evident than in the European Union, where the GDPR (General Data Protection Regulation) was rolled out on May 25, 2018.
Wondering how these new rules might affect the way your business uses social media? You’re far from alone.
Businesses that do not comply with these new rules may be subjected to hefty fines, so companies of all kinds are scrambling to stay up to date. Before you can do so, you need to learn more about what these regulations are and how they came to pass.
The Origin of the New Privacy and Data Protection Regulations
The GDPR was first suggested almost six years ago, and was hotly debated until 2016 when paranoia about cyber security reached a global zenith. As the world began to worry about Russian hackers meddling in elections and data breaches at major corporations, the European Parliament voted to put the proposed changes into action.
Fast-forward to 2018—a year that has so far seen Mark Zuckerberg avoid giving straight answers to basic (if sometimes misinformed) questions about data protection during a hearing on Capitol Hill. In a world of increasingly worrisome scandals and seemingly unstoppable tech giants, no wonder people are paranoid. No surprise then that the GDPR was implemented so suddenly after being regarded with caution for so long.
Do the Data Protection Regulations Apply to You? (They Probably Do)
There has been plenty of pushback against the new rules, especially from the private sector in other countries like the United States. Don’t assume that your company can ignore the GDPR if it isn’t based in the EU, either. Article 3 of the GDPR states that anyone who collects personal data or behavioral info from a person in an EU country will be held to GDPR standards.
That’s right: your company doesn’t have to be in the European Union, but if even one of your customers is, then you need to make sure you’re protecting their data according to the new rules.
It’s also important to acknowledge how broad terms like “personal data” and “behavioral information” are. Think they just refer to vulnerable financial transactions? Think again. Even information collected during a marketing survey to build a stronger buyer profile could qualify.
The saving grace for U.S. companies and others outside the EU is that this rule only applies to targeted marketing. For example, if your website has a generic marketing survey and a person from Germany stumbles across it, you probably don’t need to worry. However, if that survey is written in German or refers specifically to European customers then it would be considered targeted marketing and would be held to GDPR standards.
How to Stay Compliant with the New Privacy and Data Protection Rules
Instead of trying to prove that your business doesn’t need to satisfy the GDPR requirements, it’s probably less risky to just go along with them. Here are the bases you should cover right away:
- Obtain consent from customers before processing any of their personal information
- Protect customer privacy by keeping the data they share with you anonymous
- Send notifications to your customers immediately in the event of a data leak or security breach
- Provide a free electronic copy of all personal data collected from a given customer upon request, and disclose the purpose for collecting said data in the first place (this is known as a customer’s “Right to Access”)
- Erase data from a given customer upon request (known as a customer’s “Right to be Forgotten”)
- Appoint a Data Protection Officer if your business requires regular monitoring of subjects on a large scale, or routinely deals with people who have been convicted of criminal offences
The full list of changes, along with article summaries, can be found here—but implementing the tasks above should be your highest priority since they represent the most drastic changes to current data protection practices.
Data protection is no longer something consumers can afford to take for granted, which means businesses can no longer afford to neglect it. Whether your business is based in the EU or elsewhere, compliance with these new privacy and data protection rules will improve your security and dramatically lower the amount of risk that you and your customers face.
Nick Rojas is a self-taught, serial entrepreneur who’s enjoyed success working with and consulting for startups. Using his journalism training, Nick writes for publications such as Entrepreneur, TechCrunch, and Yahoo. He concentrates on teaching small and medium-sized enterprises on how best to manage their social media marketing and define their branding objectives.