What Is the General Data Protection Regulation and How Does It Affect Digital Nomads?
From the 25th May 2018 new European Union rules about personal data take effect. If you are a digital nomad sending customer newsletters and using a CRM (customer relationship management) system, you need to take additional care of how data is used and stored.
What Is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a piece of EU legislation for the protection of data and privacy, giving citizens more control over their personal data and more obligations to companies using personal data. You can find some information in the education portal for GDPR, however, other sources go more in detail so we will look at those as well.
Without wanting to sound too alarming, there’s no escape from GDPR, even if your company/activity is not based in the European Union. If your clients and suppliers are in the European Union, this legislation will affect you and failure to comply can result in heavy fines.
What the GDPR Means for You
If you hold customer data in a database, you have the responsibility to store it and manage it. The GDPR affects personal data of European Union citizens, regardless of where the data is being processed, therefore, it applies to non-EU countries too.
If you send customer newsletters, make sure you have positive consent. In other words, consent should not be implied but requires the individual to confirm, for example, their subscription to the newsletter. Individuals have the right to know what information you have about them and how you use it. They can send a request to find out what information is being held about them and you have 30 days to respond. They can also ask you to delete their data.
In the worst case scenario that your database gets compromised (for example, from hacking), you will need to report the accident within 72 hours to the relevant Information Commissioner’s Office. Non-compliance can be extremely costly. It is imperative to keep the data safe, because any data breach and negligence to comply with the GDPR attract a fine of up to €20 million or 4% of turnover, whichever is higher.
Most of the information available about how to comply with the GDPR is aimed at large organisations – advice includes appointing a data protection officer and conducting regular audits. For smaller companies and self-employed people, there are some useful guidelines, for example this checklist from the Information Commissioner’s Office in the UK.
For digital nomads holding customer data, here are some guidelines:
- be prepared for requests from users to know what information is held about them
- write a document explaining how you are processing and storing personal data
- review how you obtained consent to be added to the customer database – send an opt-in link to resubscribe
- have procedures in place in the event of a data breach
Data controllers must be able to provide documentation to prove they are handling data correctly.
Ensure your website has a privacy notice that is easy to find and to understand: avoid jargon and keep the language simple.
The rules also include the right to be forgotten – i.e., the right to request that your data is deleted. In this example from the banking industry, the user may request that the personal data is no longer processed and stored (they withdraw their consent).
How Not To Implement the GDPR
If you browse for non-EU based companies, you will find that some of them decided to avoid the GDPR implementation altogether by not allowing access to their websites to IP addresses from EU countries. In other words, they limited their web content to non-EU countries, so that they don’t need to process personal information from those regions. However, this would not protect these companies from data breaches – it would only mean that they would not need to pay a fine of up to € 20 million if the compromised data belongs to EU citizens.
Please pay attention to subscribers who have responded to your emails deciding to unsubscribe: some companies have continued contacting them (I talk from personal experience after receiving emails when I had unsubscribed) either asking them to re-opt in or continuing sending marketing communications. Other companies have sent text messages after people have unsubscribed from marketing communications. This is not how to implement GDPR.
This article does not constitute professional advice but it summarises available information.