GDP-ahhhh, one week to go! Tip of the day 4 of 10. Why didn't you tell me this at the start?!
This week I've been sharing a tip of the day to help you prepare for GDPR, which finally comes into force at the end of next week!
Yesterday's tip was to reassure (most) people that you do not need to delete your database and start from scratch, and you don't (necessarily) even have to get your existing users to re-opt-in - in spite of the spam you've no doubt received recently. So, what's today's GDPR tip of the day?
If you are a European company abiding by existing laws then you were probably 90% compliant with GDPR already!
I know, right! You've been panicking, hearing all these scary stories, wondering if you're going to have to start from scratch! But if you've been compliant with existing European data laws then there's only a few key changes with GDPR. Two of the biggest ones are what I've covered in previous tips - TELL your users what you intend on doing, and GET EXPLICIT permission from them.
But the most significant change that's causing all the panic isn't a specific process change, it's the size of the fines that a company may be exposed to under GDPR! And that's what is making everyone focus their minds and reviewing how they were using and treating data before.
The DPA laws have been around in Europe since 1984 and revised again in 1998. Most European companies would have been compliant with that already. However, it was really easy to become complacent and treat people data as if it was your own, when it never was! You have to respect the data that you have and use it only for the reasons you've told people. Transparency is absolutely key here. Look at the alleged Facebook and Cambridge Analytica events to get an idea of how data might have been used in ways people had no real knowledge of.
If you were not compliant and you got a fine pre-GDPR then it wasn't likely to be a significantly damaging fine. Maybe hundreds, possibly thousands, but rarely hundreds of thousands or millions of pounds/euros/dollars etc. With GDPR the fines are VERY significant. Up to either 4% of your GLOBAL revenue or 20 million euros. And that's why people have been panicking and putting so much focus on the data they hold (or are going to hold).
I'm not saying relax, but I am saying don't panic if you are a European company. You really couldn't have been that far off GDPR in the first place!
By the way, another small head's up about a key change: Subject Access Requests almost always need to be free now - you can't charge an admin fee without a very, very good reason. So if you get someone asking for a copy of the information you hold about them then you can no longer charge them for it.
Anyway, why have I made a point of saying European companies are probably 90% there already anyway? GDPR is for Europeans right? See tomorrow's tip of the day to find out more!
Previous tips of the day in this series:
Day 1 of 10 tip of the day - tell them what you want to do
Day 2 of 10 tip of the day - get their consent!
Day 3 of 10 tip of the day - existing users? Delete? Opt-out?