(and why you need to take data privacy seriously).
You think your data is secure, and then you get a call from the EU Data Commission saying they’ve found all your contacts on the Dark Web. It’s past May 25, 2018 and you’re going to be breached.
You’re in big trouble – who’s going to front up and tell the business that they are in line for fines of up to 20M€ or 8% of global revenue…
And it doesn’t matter that you’re based in Australia or New Zealand. You’re still responsible for complying with the General Data Protection Regulation (GPDR).
We’ve all seen the fallout of highly publicised data breaches. Think eBay, Yahoo, Facebook, MyFitnessPal, Equifax (who lost 143 million contact records in one go) and the embarrassing Adult Friend Finder incident. Billions of dollars have been written off, and there have been some very red faces along with tarnished brand perception. Believe me, you don’t want to go there.
So, what is GDPR?
GPDR is the new European regulation that protects the data and privacy of individuals in the European Union (EU). Because GDPR is a regulation, not a directive, it doesn’t need national governments to pass any enabling legislation. It’s directly binding, and enforceable as of 25 May 2018.
Don’t go into relax mode just because you’re an ANZ business
GDPR also addresses the export and use of personal data outside the EU. It applies to any private data you’ve collected about a European national or corporation. This can be a business partner, supplier, employee or customer.
It even applies to the data you hold on a ‘local’ contact who has dual citizenship (think New Zealand/Dutch, Australian/South African) or has a European passport but local residency.
What does GDPR expect of you?
The GDPR regulations make it very clear that you need to understand whose data you have, why you’ve got access to it, and what right you have to use it. And if someone says “I don’t want you to have access to my data” you need to be able to remove that data or make it anonymous.
Now while this sounds not dissimilar to our current privacy legislation, the big difference is that you need to proactively and without exception tell people you have their data stored.
Remembering that we all collect data to use for marketing, prospecting, potential business relationships etc. over the course of our business week, this becomes a challenge. Especially when you realise that it even applies to copying information from a business card someone handed you. And it doesn’t matter whether you’ve saved them as a contact in Outlook, added them to your CRM or to an Excel spreadsheet. It’s also immaterial if you never got around to using that data either.
Why GDPR is tricky
Without a single repository for all contact data, the cost and effort to identify the information you hold is going to be considerable. To manage this data on an ongoing basis means understanding all the places you are holding personal date; this is the time to really consider investing in having your records need to be in one secure place.
For many businesses, it’s going to be a massive if not impossible challenge to identify where their information is stored, and isolate which data is impacted (unless you’ve carefully recorded the nationality of every contact).
Where do you even begin?
Start with a reality check: Understand that GDPR does impact your business in some way, shape or form. There’s no avoiding it. If you’re offering goods and services to people in the EU, or analysing and collecting data from people and companies in the EU (even if residing in your country), then you’re required to protect their right to privacy.
In many ways, GDPR is incredibly onerous. But looking on the bright side, it brings a new level of clarity and reinforces best practice for the collection and retention of data. And it’s a chance to clean out contact data from a 5-year-old marketing list.
Who can help?
I tell clients that the key to working with GDPR is understanding your data and knowing what your technology partners/solutions are doing to protect it. Protection is not just about silos – it’s a holistic approach to device, physical, infrastructure and application. End to end.
For example, Microsoft Dynamics CRM has a huge range of tools to help you make the data in your system anonymous (so if you can’t establish a reason for having this data but want to hang on to it for analysis, you don’t need to dump it), or to apply an archiving rule (for example, retiring data collected for a specific date-driven event – like a competition, an event, or a piece of research).
But above all, whatever you invest in should be done with the goal of having your data secure. There is no such thing as unbreachable, but there are many protections you can put in place, and a basic framework to follow is the best place to start.
So, make a plan for compliance
What do you do if you’re breached?
First, don’t PANIC!!! Second, check out my advice:
Just do it
My final recommendation is to be proactive in responding to the GDPR standards.
If you have a CRM, make sure you patch your operating systems and applications. Ensure that you have two two-factor authentications in place when you’re working remotely - so you know when people are accessing critical or sensitive data.
If you don’t have a CRM, invest in solution which protects, consolidates and manages your data. And do it soon. You really don’t want that call from the EU Data Commission, it could cost you dearly.
This all sounds quite complex and scary, but most organisations that I’ve been talking to are pretty philosophical about it.
When you think about it, all that’s being asked of you is to respect the personal data that you’ve been entrusted with. That’s reasonable. It’s part of being a good corporate citizen, and from a consumer point-of-view it’s what you’d hope was happening already.
It’s the work to get it right that’s hard, but no one is begrudging the intent behind the directives.
The GDPR is just the start of a wave of ramifications. Other instruments by Australian and New Zealand Privacy Acts have similarly large impacts.
In my opinion, having policies in place to protect and notify if breached, a plan to remediate, and being active in initiatives will all be considered factors.
At this stage, the Office of the Australian Information Commissioner (OAIC) has not pursued fines against any organisations who are actively trying to achieve compliance to the Notifiable Data Breaches (NDB) scheme which came in to effect 22 February 2018. Be warned though, they do have the ability to issue fines up to $2.1M AUD. Imagine being an Australian Company that gets hit by both EU GDPR and the Australian Privacy Act, just due to complacency…
Written by Heath Ragg, Director, Enterprise Services ANZ