The B2B Marketer’s Guide to Understanding GDPR

The clock’s ticking down for the EU’s General Data Protection Regulation (GDPR)—which goes into effect on May 25, 2018—but despite the impending deadline, there are still quite a few misconceptions around the regulation and its fine print. To help you make sense of the legislation (which is composed of 99 dense articles), we’ve created a quick and handy guide, which covers the basics of GDPR and how the new set of rules will impact the B2B companies that do business in the EU.

What is GDPR?

Four years in the making, GDPR aims to give EU citizens more control over their personal data and requires the companies that collect, process and store that data to comply with a set of stringent rules. Among the provisions, the rules give EU citizens the ability to ask companies to remove certain online data about them. For the companies that don’t comply, the EU is doling out fines that can go up to 20 million Euros or 4 percent of their annual revenue (depending on whichever is greater).

What’s changing under the GDPR?

As the GDPR comes into effect, it brings with it a wave of change around how companies handle personal information, including the following:

Consent: The GDPR changes the requirements for consent and makes it easier to understand, accessible and easy to withdraw.
Data Subject Access Rights: The GDPR increases data subject access rights with regards to accessibility, data portability and data erasure—which is also known as the right to be forgotten.
Breach Notification: The GDPR shortens the breach notification timeline to 72 hours for any breach which may result in a risk for the rights and freedoms of individuals.
Data Protection Officers (DPO): The GDPR requires many organizations to appoint a DPO or expert on data protection law, who will be required to undertake a series of compliance oversight actions.
Privacy by Design: The GDPR requires implementation of privacy by design, including the use of data protection impact assessments (DPIAs) and applying the principle of data minimization.

How does the GDPR impact B2B companies?

The GDPR impacts all companies that process the personal data of EU individuals, regardless of whether it’s customer or employee data. As a result, B2B companies have to take a set of actionable steps for internal compliance and document that compliance. In addition to complying with the new set of rules, B2B companies also have to be ready for audits by both customers and regulators.

What are some steps companies can take to ensure compliance?

The road to GDPR compliance is a long one, but there are some steps companies can take to help guide them towards achieving compliance:

Assess

  • Create a data inventory or map, identify processing activities and examine data security practices
  • Conduct a GDPR gap analysis
  • Prioritize compliance actions, such as policy updates, creating processes for data subject rights and updating vendor service agreements

Implement

  • Implement compliance actions previously identified
  • Manage risk through identifying high risk data processing activities and conducting DPIAs
  • Respond to any threats to the privacy of data subjects
  • Implement internal procedures for data protection at all stages of the data lifecycle, for example, breach preparation and internal training and awareness

Document

  • Maintain appropriate documentation, such as DPIAs, privacy notices, vendor contracts, data transfer mechanisms and the register of data processing activities
  • Prepare for an audit by a supervisory authority or data controller

Sustain

  • Take steps to sustain your privacy compliance plan
  • Monitor the privacy processes implemented to ensure compliance
  • Audit existing privacy processes and take remedial action

Communicate

  • Build an internal and external set of communications for employees and customers
  • Communicate changes based on GDPR
  • Create a privacy education system across the organization

DISCLAIMER: This blog post and the materials on this website are not legal advice for compliance with the law. This article is meant to provide general background information to help you better understand the law and is for informational purposes only. If you have questions about your specific circumstances or a particular issue, you should consult your attorney. You may not rely on this article as legal advice or as a recommendation of a specific legal understanding.