In April 2016 the European Union officially adopted the EU General Data Protection Regulation (GDPR), a sweeping set of data privacy laws applying to nearly every organization that does business in EU countries. The regulation will be enforced beginning on May 25, 2018 — which is just a few months away.
The GDPR is clear on how businesses are to handle data that could be used to identify an individual (such as names, home addresses, phone numbers, etc.); however, many B2B marketers are trying to make sense of how it affects them.
Below we’ll look at some of the key GDPR regulations affecting B2B business. Keep in mind that in addition to ensuring your own organization’s compliance, you’ll want to make sure that any business partners handling your data will also comply. Here at True Influence, we’ve been hard at work over the last year to bring our systems and processes into compliance with GDPR requirements, and we are on track to be compliant in advance of the May 25 deadline.
A Brief Summary of the GDPR
The EU adopted the GDPR to give its residents greater control over their personal data and to ensure that businesses handle this data securely and responsibly. The laws apply to any organization that handles the personal data of EU residents (not just citizens), regardless of where the company is headquartered.
Specific requirements within the GDPR include the following (for a more thorough description of the regulations, visit eugdpr.org):
- Businesses must obtain explicit consent to use data subjects’ personal information, and they must request this consent “in an intelligible and easily accessible form.”
- Data subjects have the right to request and obtain confirmation of whether their personal data is being processed, where, and for what purpose.
- Any breaches that could impact personal data must be reported within 72 hours of the organization first becoming aware of the breach.
- The “Right to Be Forgotten”: Any data subject may have any data controller erase his or her personal data, cease any dissemination of their data, and potentially have third parties cease processing of their data.
- Organizations that monitor data subjects on a large scale or that handle special categories of data (such as criminal records) must appoint a Data Protection Officer.
- Penalties for non-compliance can reach as high as 4 percent of annual global revenues or €20 million (about $24.6 million).
Does GDPR Even Apply to B2B Businesses?
When B2B marketers hear that GDPR concerns “personal data,” it’s tempting to think that the regulation has nothing to do with them. While it’s true that GDPR will impact consumer-facing organizations most directly, B2B organizations don’t get a free pass.
For example, the law applies to not only to data controllers (organizations that determine the purposes, conditions, and means of processing personal data), but also data processors — entities that process personal data on behalf of another. So a B2B provider of cloud-based services that serves B2C organizations with customers in the EU would be required to comply.
It’s also important to know the source of any data you receive and understand the consent that was obtained for using it. For example, all purchased sales leads must come from a company that complies with all consent requirements set forth in GDPR. Keep in mind that the business using the leads, not the source, is ultimately responsible for compliance.
Action Items for B2B Marketers
Even though the GDPR offers no specific directives on handling business data, savvy B2B marketers aren’t taking any chances. If you or your clients do any business in the European Union, we recommend taking the following measures in advance of the May 25 enforcement date.
1. Update your opt-in and data consent forms.
The GDPR requires that marketers clearly communicate to data subjects exactly what they’re agreeing to when they submit opt-in and consent forms. That means no more pre-checked boxes, long paragraphs of legalese, or tiny, illegible fonts.
With this requirement in mind, conduct an audit of all your opt-in and consent forms and make sure that:
- The font size is equal to that of the main offer being presented on the page.
- The disclaimer language is clear and easy to understand.
- You have no “assumed consent” elements such as pre-checked boxes.
At True Influence, all promotions we create for our clients are fully compliant with explicit consent regulations, including clear descriptions of the data being collected, the organization to whom it will be delivered, and how it will be used.
2. Revisit your data security policies.
The GDPR requires that businesses process personal data “in a manner that ensures appropriate security.” Of course, the term “appropriate security” can mean different things to different people, but this is still a good time to review your current security practices and ensure that any gaps are identified and addressed in advance of the May 25 enforcement date.
3. Make sure you have a breach notification policy in place
The GDPR requires businesses to notify data subjects of breaches impacting their data within a 72-hour timeframe. While no one likes to think about data breaches, we all need to have policies for dealing with them, including a plan for notifying the parties whose data is affected. If you don’t already have a breach notification policy in place, here are a few questions to consider:
- How will you find out whether a breach impacts personal data, and which parts of your database are affected?
- How will you assess the severity of the breach?
- How will you notify data subjects of the breach?
- How much information about the breach will you share with affected data subjects?
- How will you handle follow-up questions resulting from your breach notification?
4. Build “privacy by design” into new systems
The GDPR requires that all covered organizations include data protection capabilities from the beginning of the design phase of all systems, rather than adding them in later. If your company is considering a new system that affects the collection or processing of personal data, make sure to build in privacy features from Day One of your planning process.
While the GDPR doesn’t specify how the “privacy by design” rule affects existing systems, it’s also a good idea to look at your current platforms and fill any gaps in privacy features.
We’ve explored just a few of the GDPR’s regulations that can affect B2B organizations. Of course, the full regulation entails 99 articles, so if you or your clients do business in the EU, your best source of information will be your legal counsel.
As a final note, remember that complying with GDPR requirements offers benefits beyond simply avoiding penalties. Businesses affected by the law that are looking for new vendors will want to know up-front which candidates have complied, so if you can add “GDPR compliant” to your list of selling points, you could open up new business possibilities. Also, consider that data privacy and security are top-tier concerns for both consumers and businesses across all industries, so reinforcing your systems and processes in those areas demonstrates a commitment to providing better service to your clients. And that’s just good for business.
Read the next post in our series: Does My Company Need a DPO for GDPR Compliance?