GDPR is almost here, and unless you have zero European contacts in your database, it applies to you.
Here are the first three things you need to know:
1. What is GDPR?
The General Data Protection Regulation (GDPR) is a sweeping overhaul of data privacy rights passed by the European Union Parliament in 2016, and takes effect May 25th, 2018. It gives all citizens of EU member states specific rights on how their data is used and stored, how you can contact them, and requests they can make regarding their data.
There are many aspects of the legislation, including data security and breach response, and from a software perspective Microsoft is committed to helping its commercial customers achieve GDPR compliance. You can review Microsoft’s dedicated GDPR page here.
From a business process perspective, the most salient aspects to users of Microsoft Dynamics 365 are the requirements for consent and responses to data requests, the management of both being a natural fit for Dynamics 365 for Customer Engagement.
All companies storing and using contact information for marketing or other purposes must obtain explicit, opt-in consent from those contacts to continue those communications. It is no longer acceptable to simply assume, for example, that a past customer implicitly gives consent for future marketing or other activities. Obtaining this consent requires a one-time effort for current contacts and an ongoing process to ensure compliance with new contacts going forward.
3. Data Requests:
Once consent is obtained, all contacts have the right to make five types of data requests—information, erasure, portability, rectification, and objection—and these requests must be fulfilled in a timely manner.
In brief, these are the types of requests you will begin to receive in May:
Information—"What data do you hold and how is it being used?”
Portability—"Give me my data so that I can take it to another provider.”
Rectification—“Fix the inaccuracies in my data.”
Erasure—“Delete my data.” (the so-called “Right to be Forgotten”)
Objection—“Stop using my data for any automated processing.”
Responding to these requests in an organized, repeatable, timely, documented way requires knowing where all relevant data is stored, the implementation of new business processes, and behavioral changes in many employees across the organization. The path to compliance is a combination of technology, process, and education.
GDPR compliance is not optional, even for US-based companies, and compliance audits start May 25th, 2018
Although this legislation was passed by the European Union Parliament, it applies to all companies who do business in Europe and retain personal information on citizens of EU member states. Once the deadline passes, regulators will be looking to make an example of a few early offenders—be assured overseas companies holding data on Europeans will be on the target list. That means, in short, unless you do not and never plan to do business with any Europeans, the requirements of the legislation apply to you, and there is a significant burden of compliance, not to mention the risk of audits and substantial monetary fines.
GDPR is also an opportunity for you to engage with your customers in the way they want to.