If you’re a business that processes customer data in any respect, you may need a GDPR representative.

According to the Information Commissioner’s Office (ICO), if you’re a UK-based business and offer goods or services to individuals within the EEA or monitor the behaviour of individuals in the EEA in any way shape or form, then you still need to comply with the EU GDPR in respect to data processing.

The UK GDPR has supplanted the duty for businesses that are public authorities or public bodies and use data processing to appoint a data protection officer (DPO). On top of this, organisations that wish to operate and who are involved in data processing activities need representation in both territories—by law.

Since you do not have a base inside the EEA, the EU GDPR requires you to appoint a representative in the EEA. They will need to be set up in an EU or EEA state where some of the personal data you’re processing is located. And you must authorise this representative, in writing, to act on your behalf in terms of your EU GDPR compliance. In this respect, they will also deal with any supervisory authorities or data subjects.

GDPR law and compliance behind processing data

Even though your GDPR representative will work on your behalf, deal with the fine details and relay back to you any important information regarding data processing, it’s still a good idea to understand the law and compliance behind processing customer data in regards to GDPR regulations.

GDPR is a strong set of data protection rules that prioritises individual’s rights over corporations in regards to their consent, control and data activities held by businesses. This includes even the most basic data (information) about an individual that businesses collect, such as names, location data or even a username.

Personal data must be protected against unlawful processing, as well as loss and damage. And businesses require consent and give people the ability to withdraw, request and delete their personal data at any time.

Why do I need a GDPR representative and what do they do?

You need an EU Data Representative if you don’t have an office in the EU but process large amounts of data from EU data subjects (persons and individuals) or if you process special categories of data.

According to Article 27(3) of EU GDPR regulations, these data representatives are:

• Nominated by the controller or processor to be addressed in addition to the controller of the processor by EU regulatory bodies.
• Established in a member state where you process or monitor personal data.

A GDPR data representative performs several important functions on your behalf beyond being a named point of contact between yourself and EU regulators. They also:

• Act on your behalf, for your benefit, with supervisory authorities.
• Help you to meet Article 30 requirements (record of processing activities (ROPA)).
• Supply you with any updates, revisions and new readings of the GDPR rules as they apply to your business.
• Make records available to supervisory authorities.

Your GDPR representative acts as your public face in the EU. As a business, you benefit from having a GDPR representative in that they’re a fast contact point for international bodies to get in touch with. They work on your behalf. They will provide you will timely updates about EU law and the regulatory authorities can bring proceedings against the representative—instead of yourself—for any breaches you’ve committed.

What happens if GDPR regulations are breached?

Failing to comply with GDPR regulations can prove devastating for businesses, corporations and organisations.

Not adhering to or breaking any rules within the stringent GDPR regulations can mean facing massive fines. There are two tiers of fines for businesses that violate GDPR regulations. Companies that breach regulations face a maximum penalty of €24 million ($23 million) or 4% of their annual global turnover (whichever the great). The second tier means Infractions can hit €10 million ($12 million) or 2% of annual turnover. Authorities can also issue public reprimands or place restrictions upon such businesses, rather than issue fines.

If you’re a business that processes large amounts of data but doesn’t have a base in the territories where you do so, then you require a GDPR representative. GDPR regulations can be stringent, and arduous and it can be easy to accidentally breach them. Having a GDPR representative will give you a physical presence within the territories you’re operating in and make sure you remain on the right side of the law. They will act as a point of contact and reference, dealing with any issues that arise on your behalf and help minimise potential headaches.

On May 25, 2018 the regulation insists on safeguarding the personal information of all citizens of European Union member states. While many businesses are already aligned with the specifications, it’s important to make sure your business has everything covered.

This article takes a look at what you need to have in place in order to avoid being found in violation of the GDPR.

The truth is these new rules are aimed at large companies who deal in information as a source of revenue. Smaller businesses aren’t likely to be penalized the 4% of worldwide gross or 20 million Euros that large corporations will if they’re found in violation.

If you’re worried about having a mountain of work ahead of you to prepare, you shouldn’t be. If you’re unsure if you will be affected look for these key signals:

• You deal in information as a commodity;
• You request user’s data when they complete a purchase and use the data elsewhere or store it;
• You deal with one or more European countries.

If the answer is no to all of these then you will be fine!

So what can you do just in case?

Here’s 10 steps your business can take to be best prepared for GDPR, even if you are not physically located in the EU.

1. If your website has an online form that incudes a pre-checked box giving permission to receive promotional emails from 3rd parties, this box now needs to be unchecked.

2. If your business conducts any form of list-building, ensure everyone on that list has given explicit permission to be in it. Under the Canadian PIPEDA, it was enough to have implied permission; however, if any EU residents are in your database, the rules are much more firm that provides subscribers with the right to obtain the information stored on them.

3. Make sure your entire staff is aware of the new rules. Circulate a memo to all personnel with a follow-up meeting where the points are reviewed. Asking a few questions to key players whose roles would be most affected by the new rules is a great way to ensure they’re aware of what they need to do.

4. Audit all stored client/customer info and track where you got it from and where it’s been used. Keep a record of every bit of info and who you may have passed it to at any time, and document the relationship and reasoning.

5. Update your privacy policy so it includes the reasoning for retaining any user data, how it is legally used, and how users can contact your business if they feel their user information is in any way being misused.

6. Have a clear method in place to address requests for erasing a user’s data. Under the DPA, users already had certain rights but the GDPR takes it further with information rights pertaining to their data stored by your business.

The rights consist of:

• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• the right not to be subject to automated decision-making including profiling

You will need to be able to provide all this information in a clear and machine-readable format (not in handwriting).

7. Have a process in place for handing over large volumes of requests. Previously under the DPA businesses had 40 days to comply with a request. That has been shortened to one month. Any lawful request must be fulfilled though if there are a large number of requests and the suspected reasoning is to cause problems for your business then these requests can be contested legally.

8. Have your lawful reasoning for retaining user data or passing to others clearly stated for users and ensure the opt-in option is not pre-ticked or unclear. Users must have a clear understanding of why you want their data, what you do with it, and who you might share it with. And they must have the option to say no. This is separate from Terms and Conditions.

9. If your business deals with anyone under the age of 16 then you’ll need a parent or guardian’s permission to process any of the child’s data. This is very important and strictly regulated but at the same time if you’re not dealing in information as a commodity then you’re likely not going to have to worry.

10. Have steps in place to address a data breach. In the event that user’s data may be compromised you will need to have a way to let all affected users know what was compromised and when. Assigning someone internally the task of coordinating the response is a great idea.

As you can see it’s a big business problem and more so rooted in user protection in Europe where social networks have been cited as problematic and susceptible to foreign influence.

North America is not really affected much but the issue is still very newsworthy, which can make some small business owners nervous when they don’t need to be. In saying that, this article from Small Business BC points out some seemingly harmless potential data breaches that could put you at risk of violation such as sending out greeting cards to customers living in the EU.

If you have any questions about GDPR you can message Susan Friesen at eVision Media directly here.

About the Author

Susan Friesen, B.B.A. is the Owner/Developer at eVision Media.

By the 25th May 2018 all organisations serving customers across Europe need to comply with the new legislation. Regardless of the UK leaving the EU.

Yet, IT Governance reported this month that 68% of a survey sample have yet to update their processes to reflect the new data subject rights.

There are numerous changes to the outgoing Data Protection Act that organisations need to adhere to, or fall foul of the regulator – the Information Commissioners Office (ICO) which is currently recruiting 200 new staff to enforce the new rules. Failure to comply could result in fines of up to €20 million or 4% of annual global turnover, whichever the greater. But even worse – what if you lose all your customer data?

The GDPR will apply across the company. No longer just an issue for Marketing, Customer Insights or Compliance. Customer Services will be at the forefront when it comes to dealing with enquires from citizens, Subject Access Requests (SAR’s), engagement, loyalty and churn.

In this Digital Age, with more Artificial Intelligence and automation, the customer expects a certain level of personal targeting and customised experience. This has resulted in a more customer centric culture. Now the customer will expect not only personalisation of product and services, but security of the personal information they have shared with you.

The fact that customers have been happy to share data to obtain a value exchange with your organisation is a great starting point. You may now have access to purchase history, address, birthday, communication preferences and in some cases even their voice recording. But this results in a vast amount of personal data for storage and protection.

Now you have been entrusted with their data, you must respect it, ensure its safety and privacy. From here on in, under GDPR your company must obtain consent and understand what we at MyLife Digital call the 5W Framework:

• WHAT data has been collected.
• WHY it’s been collected and for what specific purpose.
• WHO is using the data.
• WHEN the permission was granted.
• WHERE the permission was granted.

From a Customer Service point of view, any Customer Relationship Management system needs to access and report on the above. When you’ve worked so hard to build customer satisfaction and loyalty, you don’t want to lose it.

With Chabot’s and technology removing the need for live agents, customers must feel they are able to resolve problems whilst having a good experience. In another survey recently reported by CSM, 65% of consumers “feel good” when they solve their issue without human contact. Customers rely more and more on technology. And this technology relies on data.

Analytics of customer data is getting more complex. To feed machine learning algorithms requires data; more data means more of the 5W’s. Especially who is using it, why it has been collected and for what specific purpose.

GDPR will hold your company to account, and you will need to be able to show how you use best practice to apply these controls. From your Privacy Policy, to Terms and Conditions and business processes, all need to adopt a new way of business as usual.

GDPR is seen as one of the biggest, most important changes to consumer rights in recent times. It turns the use of personal data on its head and gives back control of data to the citizen. Businesses must ensure every member of staff has the appropriate level of understanding to continue to carry out their role.

Okay. You’ve done your homework, you’ve invested resources and applied the 5W’s to your data collection, so what’s next?

In an article in Harvard Business Review, Customer Data: Designing for Transparency and Trust, the authors state, “a firm that is considered untrustworthy will find it difficult or impossible to collect certain types of data, regardless of the value offered in exchange. Highly trusted firms, on the other hand, may be able to collect it simply by asking, because customers are satisfied with past benefits received, and confident the company will guard their data.”

To be a trusted firm, to maintain loyalty and reduce churn, you need to keep your customers happy. With repeat purchases, upgrades, continued good service and of course value for money – and from May 2018 data consent.

Consent Audit

To start to understand consent, look through current statements that have been used to gather permission to contact. These might be on old direct mailing packs or in recent online or social campaigns. Collate these, then assess how legitimate that consent to use data is and whether explicit permission was given.

Your customers must agree that their data can be used and that they can be contacted. Only then do you have a legal basis for collecting, storing and using their personal data.

And be mindful: consent is not the same as a preference.

Under the DPA customers already have the right to know what data you hold on them and can submit a subject access request (SAR). The ICO has written guidance to this process which is well worth reading, and we await an update for GDPR.

Customer Service is often the first port of call when the relationship has steered off course or a simple query triggers a call. Under GDPR it may now also trigger the right to be forgotten or right to erasure.

Article 17 of GDPR states the data subject has the right to request that the data controller erases their personal data, subject to meeting certain conditions. This may be that the personal data is not necessary in relation to the purpose for which it was collected, or the data subject withdraws consent or objects to processing; amongst others.

GDPR Checklist

Now is the time, before May 2018, for your organisation to:

• consider the organisation’s stance on personal data and what is done with it
• understand what data needs to be retained for legal or other reasons
• establish or update data retention policies and adhere to them
• ensure there is a process in place to manage SARs and the Right to be Forgotten
• train all staff in the above process and the part they play in it
• draft standard communications and notifications to acknowledge requests, including the timelines for completion
• know where data is shared, internally and externally, and be ready to inform such parties to complete these requests
• comply or update a suppression list to remove requestors data from any marketing, sales or communication activity.

Basically, leave no stone unturned. Don’t live under a rock or bury your head in the sand – GDPR is coming and sooner than you think.

About the Author

Keith Dewar is Group Marketing and Product Director at MyLife Digital, with over 25 years of senior management experience across functional disciplines including marketing, sales, business development and strategy. He has held various directorships with Cable & Wireless, Vodafone and O2.

More recently, Keith was Vice President, Marketing & Strategy for technology start-up IP Wireless where he helped grow the business over five years, culminating in a successful acquisition of the company by General Dynamics. Keith is also a post graduate student in the Department of Economics, Finance and Management at the University of Bristol where he is studying and researching areas of strategy, change and leadership.