The new GDPR regulations come into force on 25 May 2018. With all the false news, misleading blogs and opinions, it’s almost impossible to find out the facts and become prepared and fully compliant!
First thing’s first, what is GDPR?
GDPR stands for General Data Protection Regulation. Set to be introduced on 25 May 2018, GDPR legislation defines how European personal data must be handled by anyone that stores or processes such details.
It’s not only businesses that are based in the EU that will be affected by the introduction of GDPR – the legislation applies to all companies that handle the data of individuals residing in the EU, regardless of the company’s location. And it’s not just the originating organisation that stores their data that must be compliant – anyone down the data processing chain must also be compliant.
GDPR will affect all email marketers and failure to comply will lead to significant fines. As the European Parliament allowed 2 years for businesses to comply with the new regulations, there’s no excuse for not having the necessary procedures and protocol in place by the time the legislation is introduced. The clock is ticking!
What data is covered by GDPR?
Any personal data such as the names, addresses, phone numbers, IP addresses, email addresses, and pictures of EU citizens is covered by GDPR. This means, if you use email marketing, CX feedback surveys or direct mail, or you have a call centre that deals with EU customers, you must be compliant, whether you’re based in the EU, the US, or anywhere else around the world.
Who needs to be GDPR compliant?
The new GDPR legislation applies to:
- Businesses in the EU that control or process any personal data directly, or on behalf of other clients.
- Businesses anywhere in the world that control or process the personal data of European citizens, regardless of where they live or where the company is based.
Essentially, if your company is based in the European Union, or it is based elsewhere but deals with the data of EU citizens, you need to ensure you’re fully GDPR compliant or face heavy fines.
Which countries are classed as EU countries?
There are 28 countries within the EU: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungry, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK. GDPR applies to citizens of these 28 countries, wherever they live in the world.
So, if any of your clients are EU citizens, even if they now live abroad and in a non-EU country, GDPR will still apply to them and anyone handling their data will need to be compliant by May 2018.
What happens if I don’t comply with GDPR legislation?
If you fail to comply with GDPR, your business could face a fine of up to 20 Million Euros
The implications of you, or one of your suppliers, not complying with EU privacy laws have always been stringent but the GDPR fines have been significantly increased and would have a huge impact if your business was fined. Quite obviously, it is incredibly important that you ensure all aspects of your business processes – and those of your suppliers – are fully compliant.
What does GDPR mean for any CX feedback service?
The problem has been that there are countless email survey services online and, whilst some are reputable, many are not. From May 26th 2018, many in fact, will actually be operating illegally.
With the introduction of GDPR, it’s more important than ever that you only work with a fully compliant CX Feedback survey service, or you too could face a huge fine!
In order to remain fully compliant, before sharing your customers’ data with any such service, you must consider the following:
Are you dealing with a legitimate business?
Take the time to research the company you’re dealing with. Is the company registered in the EU? Are they registered outside the EU? What name are they registered under? Do they comply with GDPR regulations when handling your data? Having a quick scan of their website isn’t enough, it just isn’t worth the risk!
Do you have a written contract in place?
It’s important that there is a contract in place outlining the responsibilities and liabilities of both parties. Ultimately, you are responsible for the compliance of the CX feedback service, so make sure that you only appoint a supplier service company that can provide sufficient guarantees that the requirements of GDPR will be met at all times. Ensure you see their GDPR paperwork as well, before handing over any data.
Does your CX feedback service have the relevant privacy and data protection policies in place?
Make sure you only employ the services of CX feedback service that have public policies in place, as well as an assigned individual who is responsible for data protection.
As a general rule, if you aren’t 100% clear exactly who you’re dealing with and what policies they have in place, it’s safer not to deal with them at all. After all, you will be responsible for explaining why you passed on personal data to them, without the necessary assurances.
Does the service company have an appointed data protection officer?
Any business that conducts large-scale personal data processing, must have a named Data Protection Officer in place. This applies to all CX feedback companies, or any business that offers this service. Only companies with appointed Data Protection Officers are permitted to process EU data.
Is any data you hand over for processing, covered by a GDPR compliant processing document?
Any professional CX feedback supplier that handles your data on your behalf, should document exactly what they have agreed to do with your data, before, during and after they have processed the data. Typically, that will include a statement that some or all of the data will be Pseudonymised, Anonymised or Redacted. Be very careful of anyone who cannot supply such capabilities as part of their service.
Is a US-based supplier with Privacy Shield certification covered?
Although Privacy Shield allows US companies to self certify for European Data Protection laws, it doesn’t guarantee that a they comply with GDPR, and this doesn’t look as though it will change anytime soon.
According to the European Commission, Privacy Shield still needs to address a number of serious areas before it can be considered GDPR compliant, namely:
- Must prevent false self-certification
- Must raise public awareness of how to exercise their rights
- Needs to develop closer co-operation between privacy enforcers
- Must appoint a Privacy Shield Ombudsman
So, if you’re looking for a company to provide CX feedback services, or you’re currently working with a provider in the US, be aware that Privacy Shield certification doesn’t mean they are GDPR compliant.
Are you confident that your CX feedback service is fully compliant with GDPR?
In the eyes of the law, you are responsible for ensuring that your supplier is fully GDPR complaint. Don’t hand over any personal data until you are 100% satisfied that this is the case. After all, it is your company that will be fined in the event of a GDPR breach after 25 May 2018.
As a general guide, if a CX feedback provider is based in the EU, has a comprehensive data protection policy, and has a dedicated Data Protection Officer, you should be confident to proceed.
If you’re using a non-EU provider, you should ensure that either the country they’re based in follows EU data protection standards OR the company itself is fully compliant with GDPR legislation.
Here at VIRTUATell, we’re fully compliant…
At VIRTUATell, we’ve always taken the security of our clients’ data seriously, and we’re fully compliant with GDPR. So you can rest assured that your data will be safe, secure, and used only in line with the very latest EU regulations.
For further information about GDPR and how we adhere to the new regulations, please do not hesitate to contact us.