The new GDPR regulations came into force on 25 May 2018. And on 1 Jan 2020, we have also seen the introduction of the CCPA. With all the false news, misleading blogs and opinions, it’s almost impossible to find out the facts and know if you are fully GDPR and CCPA survey compliant!

First thing’s first, what is GDPR and CCPA and what is the difference?

GDPR stands for General Data Protection Regulation. Set to be introduced on 25 May 2018, GDPR legislation defines how European personal data must be handled by anyone that stores or processes such details.

It’s not only businesses that are based in the EU that will be affected by the introduction of GDPR – the legislation applies to all companies that handle the data of individuals residing in the EU, regardless of the company’s location. And it’s not just the originating organisation that stores their data that must be compliant – anyone down the data processing chain must also be compliant.

GDPR affects all email marketers and failure to comply will lead to significant fines. As the European Parliament allowed 2 years for businesses to comply with the new regulations, there’s no excuse for not having the necessary procedures and protocol in place by the time the legislation is introduced.

CCPA stands for California Consumer Protection Act and is similar to GDPR in that they both give consumers more transparency into and power over the use of their personal information. However, they are not one and the same. If your business is GDPR-compliant, that doesn’t necessarily mean you’re already in compliance with the CCPA.

The obvious difference between the two is who they are protecting. The CCPA empowers Californian residents to have the power over the data they generate. Following GDPR, it is the first major US privacy legislation to be put in place. But given the size of the Californian economy on a global scale, we expect similar legislation to be rolled out across the US in the near future.

In short, GDPR focuses on obtaining prior consent with the right to erasure, whereas, CCPA empowers Californians with the right to deletion and the right to opt-out.

What data is covered by GDPR and CCPA?

Any personal data such as the names, addresses, phone numbers, IP addresses, email addresses, and pictures of EU citizens is covered by GDPR and Californian residents by CCPA. This means, if you use email marketing, CX feedback surveys or direct mail, or you have a call centre that deals with EU or Californian customers, you must be compliant, whether you’re based in the EU, the US, or anywhere else around the world.

Who needs to be GDPR compliant?

The new GDPR legislation applies to:

  • Businesses in the EU that control or process any personal data directly, or on behalf of other clients.
  • Businesses anywhere in the world that control or process the personal data of European citizens, regardless of where they live or where the company is based.

Essentially, if your company is based in the European Union, or it is based elsewhere but deals with the data of EU citizens, you need to ensure you’re fully GDPR compliant or face heavy fines.

Who needs to be CCPA compliant?

The new CCPA legislation applies to any business that meets at least one of the following points:

  • For-profit business who has customers or subscribers in the state of California
  • Earns $25M+ in annual revenue
  • Receives 50,000+ device, household, or individuals’ information annually
  • Earns 50% or more of its annual revenue from the sale of personal data

Which countries are classed as EU countries?

There are 28 countries within the EU: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungry, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK. GDPR applies to citizens of these 28 countries, wherever they live in the world.

So, if any of your clients are EU citizens, even if they now live abroad and in a non-EU country, GDPR will still apply to them and anyone handling their data will need to be compliant by May 2018.

What happens if I don’t comply with GDPR or CCPA legislation?

If you fail to comply with GDPR, your business could face a fine of up to 20 Million Euros.

The implications of you, or one of your suppliers, not complying with EU privacy laws have always been stringent but the GDPR fines have been significantly increased and would have a huge impact if your business was fined. Quite obviously, it is incredibly important that you ensure all aspects of your business processes – and those of your suppliers – are fully compliant.

If you fail to comply with CCPA, your business could face a fine of up to $2,500 per violation, with international violations of up to $7,500.

Although much smaller than the penalty for non GDPR compliance, CCPA violations can still be considerable and add up quickly. Regulated by the Attorney General, it won’t be long before regulations will be put in place and any non-compliance cases will be investigated.

What does GDPR and CCPA mean for any CX feedback service?

The problem has been that there are countless email survey services online and, whilst some are reputable, many are not. From 26 May 2018, many in fact, will actually be operating illegally.

With the introduction of GDPR and CCPA, it’s more important than ever that you only work with a fully compliant CX Feedback survey service, or you too could face a huge fine!

In order to remain fully compliant, before sharing your customers’ data with any such service, you must consider the following:

Are you dealing with a legitimate business?

Take the time to research the company you’re dealing with. Is the company registered in the EU? Are they registered outside the EU? What name are they registered under? Do they comply with GDPR regulations when handling your data? Will they comply with CCPA regulations? Having a quick scan of their website isn’t enough, it just isn’t worth the risk!

Do you have a written contract in place?

It’s important that there is a contract in place outlining the responsibilities and liabilities of both parties. Ultimately, you are responsible for the compliance of the CX feedback service, so make sure that you only appoint a supplier service company that can provide sufficient guarantees that the requirements of GDPR and CCPA will be met at all times. Ensure you see their GDPR and CCPA paperwork as well, before handing over any data.

Does your CX feedback service have the relevant privacy and data protection policies in place?

Make sure you only employ the services of CX feedback service that have public policies in place, as well as an assigned individual who is responsible for data protection.

As a general rule, if you aren’t 100% clear exactly who you’re dealing with and what policies they have in place, it’s safer not to deal with them at all. After all, you will be responsible for explaining why you passed on personal data to them, without the necessary assurances.

Does the service company have an appointed data protection officer?

Any business that conducts large-scale personal data processing, must have a named Data Protection Officer in place. This applies to all CX feedback companies, or any business that offers this service. Only companies with appointed Data Protection Officers are permitted to process EU data.

Is any data you hand over for processing, covered by a GDPR/CCPA compliant processing document?

Any professional CX feedback supplier that handles your data on your behalf, should document exactly what they have agreed to do with your data, before, during and after they have processed the data. Typically, that will include a statement that some or all of the data will be Pseudonymised, Anonymised or Redacted. Be very careful of anyone who cannot supply such capabilities as part of their service.

Is a US-based supplier with Privacy Shield certification covered?

Although Privacy Shield allows US companies to self certify for European Data Protection laws, it doesn’t guarantee that a they comply with GDPR, and this doesn’t look as though it will change anytime soon.

According to the European Commission, Privacy Shield still needs to address a number of serious areas before it can be considered GDPR compliant, namely:

  • Must prevent false self-certification
  • Must raise public awareness of how to exercise their rights
  • Needs to develop closer co-operation between privacy enforcers
  • Must appoint a Privacy Shield Ombudsman

So, if you’re looking for a company to provide CX feedback services, or you’re currently working with a provider in the US, be aware that Privacy Shield certification doesn’t mean they are GDPR compliant.

Are you confident that your CX feedback service is fully compliant with GDPR?

In the eyes of the law, you are responsible for ensuring that your supplier is fully GDPR complaint. Don’t hand over any personal data until you are 100% satisfied that this is the case. After all, it is your company that will be fined in the event of a GDPR breach after 25 May 2018.

As a general guide, if a CX feedback provider is based in the EU, has a comprehensive data protection policy, and has a dedicated Data Protection Officer, you should be confident to proceed.

If you’re using a non-EU provider, you should ensure that either the country they’re based in follows EU data protection standards OR the company itself is fully compliant with GDPR legislation.

Here at VirtuaTell, we’re fully compliant…

At VirtuaTell, we’ve always taken the security of our clients’ data seriously, and we’re fully compliant with GDPR and CCPA. So you can rest assured that your data will be safe, secure, and used only in line with the very latest EU and Californian regulations.

For further information about GDPR and CCPA and how we adhere to the new regulations, please do not hesitate to contact us.