The General Data Protection Regulation (GDPR) is the most impactful but perhaps least understood data regulation change we’ve seen in years. Have you heard of it yet? It’s fully in effect as of May 25, and failing to comply can cost users of your app a percentage of bottom-line revenue. That’s a bad customer experience.
Okay, breathe. We’ll give you an overview if you’re not up to speed, then launch into tips and next steps for enabling your customers to succeed in the context of GDPR changes. Or, access the recording of our webinar with leading GDPR expert Ian Gotts, CEO of Elements.cloud, to equip you with the information and action items you need to stay ahead of the curve.
What’s the GDPR?
The GDPR is a new data privacy regulation that applies to businesses handling any type of personal data of subjects that reside in the European Union (EU). These new rules apply to both controllers and processors of private data, meaning that cloud based businesses will not be exempt. To clarify, the GDPR’s website classifies controllers of private data as “the entity that determines the purposes, conditions and means of the processing of personal data” and processors as “an entity which processes personal data on behalf of the controller.”
In layman’s terms: if your customers are working with personal data on subjects in the EU, they’re liable.
What’s Changed
First and foremost, the GDPR now legally includes a concept that has been around for years — privacy by design. This means that when designing a system, privacy protection must be included from the onset rather than as an afterthought or addition.
This regulation also includes that controllers are only allowed to hold and process data that is pertinent to the business they are conducting. Organizations can be fined 2% for not deleting unnecessary data and keeping their records in order.
Companies must receive explicit consent — in essence an “opt-in” — from the customer in order to process sensitive personal data. This is a change from the previous framework, which essentially allowed companies to use personal data until a customer opted out.
What Happens if Businesses Don’t Adjust
The GDPR penalizes businesses that breach the governance by fining them up to 4% of global revenue, or €20 million ($24,630,800) — whichever is greater. There is a tiered approach to fines and the website makes it clear both controllers and processors will be held liable, and that “clouds” won’t be exempt. It’s likely many companies will be in violation and that some will be penalized aggressively as a lesson to others — though there’s no surefire way to anticipate the level of enforcement. Our recommendation: not only is it not worth the risk, but there’s a business case for out-performing your competitors in enabling data security. More on that soon.
How to Comply with the GDPR
Data subjects must be notified within 72 hours of a data breach that is likely to “result in a risk for the rights and freedoms of individuals.”
Data subjects also have two further protections. The first is the “right to access,” meaning they are allowed to ask the data controller if their personal data is being processed, where, and for what purpose. The controller is required to provide a copy of the personal data, free of charge, in an electronic format, upon request by the data subject. Second, Subjects retain the “right to be forgotten,” which allows subjects to request that controllers erase their data in some circumstances.
How GDPR Impacts App Developers
Depending on how you approach GDPR for your customers, it can either be a hindrance or an advantage to your company. Don’t act, and fall behind — or get ahead and grow business while delivering delight.
Experts cite a few compelling reasons to get out in front of the new requirements. Ian Gotts, Founder and CEO of Elements.cloud and a GDPR guru, sees 3 major benefits for companies complying with the GDPR: data simplification, process improvement, and reputation. Consider these potential advantages for your customers.
- Data Simplification. Since the GDPR mandates that companies must have consent from customers, know what and where all the data is, and delete unnecessary data, their records will be more streamlined and easier to browse. Gotts cites a survey that showed “staff spend 18% of time looking for the right information and then confirming that it is correct.” Once data clog is minimalized, staff efficiency will increase and the cost of data storage and backup will decrease.
- Process Improvement. If you implement the correct GDPR processes now, you will have an advantage over less-prepared competition when other countries start regulating data privacy more strictly. The strict regulations of the GDPR forces companies to have documented and well thought out processes for handling data across departments. Gotts states that companies implementing processes aligned with GDPR tenets “typically see 25% improvements in productivity, and often more, when using a proven process mapping approach.”
- Reputation. GDPR compliance can improve a company’s reputation in market. Showing compliance demonstrates trust is valued between a company and its customers. This can be used as a great differentiator between compliant companies and the competition that does not comply with the GDPR.
Final Thoughts — and What Comes Next
Customers (and governing bodies) in the EU are taking GDPR seriously. Companies who set up their solutions for GDPR compliance can anticipate customer requests — enabling customers to comply is a shortcut to customer delight.
Laggards should also consider that while these data privacy regulations are currently only being put into place in the EU, it applies to companies based everywhere. The protections are for EU citizens regardless of where the company is based or where the data is stored. It is highly likely such regulations will be implemented in the United States and other developed countries in the next few years. An approach of data clarity and transparency positions compliant companies as a trustworthy and ethical partner capable of handling sensitive information — which can give them a leg up on competition.
Access the full recording on GDPR and data privacy with Gotts. He shares actionable information enabling AppExchange partners to help their customers get and remain compliant. If you need help with your developing your app to help with data-compliance best practices, we’re always happy to talk.
