Ask Anything About: GDPR (Part II)

It can be difficult to keep up with every new term or technology available today. Instead of nodding along in agreement, however, it is important to ask questions that will truly help you understand what is being discussed - even if those questions are simplistic in nature.

For this reason, Website Magazine launched its "Ask Anything About" series (inspired by Reddit's popular Ask Me Anything threads) to pair some basic question about a topic with an expert who could answer them in greater detail.

Our expert for "Ask Anything About: General Data Protection Regulation", or GDPR, is Pieterjan Bouten, CEO of Showpad, a sales enablement platform. Let's get started!

In basic terms, what is general data protection regulation (GDPR)?

avatar-pj-(1)Pieterjan Bouten, Showpad: GDPR is the EU General Data Protection Regulation. This regulation centers around the privacy of individuals and the protection of their personal data, requiring businesses to be more transparent on the way personal data is processed, to better protect the personal data of their customers, and to better safeguard the rights of each individual towards his personal data. The primary purpose is to give people more control over their personal data and the extent to which it is processed, a move meant to address the changes in the digital landscape as technology has become more prominent in everyday business interactions. Similar privacy legislation has been in place in the EU since 1995, but with the current GDPR, legislation is becoming more strict and its scope is expanding to include non-EU business (including US businesses) that interact with EU data subjects.

When is the deadline, and what needs to happen before that deadline to meet compliance?

Bouten:The deadline for GDPR compliance is May 25, 2018. To ensure compliance, companies need to assess and think about the full scope of their data. This means doing a complete audit and determining what personal data they currently process, what personal data they need and how they will process it and for how long, as well as potentially re-thinking their organizational set-up. It's important to determine the current state of one's personal data usage and figure out what information is essential to your business, as well as strategies for making the most out of the processing of personal data in a GDPR compliant way.

Do U.S.-based businesses need to worry about GDPR?

Bouten: Yes. Any company that has a Web presence or is marketed in the EU, or that is monitoring behavior of an individual in the EU, will be impacted by this regulation, even if they are U.S.-based. Beyond this, data privacy is becoming more and more of a concern for customers across the world. Whether or not a company will be impacted by this specific regulation as of May 2018, it's essential for organizations to prepare for a world in which this is a universal rule whether stated officially or by customer demands. The better they are able to show timely compliance with GDPR standards, the more prepared businesses will be to meet the inevitably escalating demands of customers as they become more aware of the scope in which their data is being processed.

What types of personal data is included in GDPR?

Bouten: Personal data regulated by GDPR includes any information that can directly or indirectly identify a "data subject" (which is generally defined as any individual residing in the EU). It can be anything from a name, birth date, a photo, an email address, bank details, posts on social networking websites, medical information, geographic data, physical appearance, genetic makeup and cultural or social identity. Basically any information that, by itself or in conjunction with other information, can identify a specific individual is covered under this regulation.

Does GDPR mean companies should stop using customer data to personalize experiences?

Bouten: Not at all. It just means that they need to think more deeply about how they process the personal data they possess. Personalization is still a top strategy for marketers and sellers, and GDPR shouldn't be the cause for them to abandon these tactics. Though, some people might choose to be less forthcoming with providing their personal data, so the personal data that companies do process will have to be processed more wisely in a way that the customer will find most valuable. Companies will also have to be mindful of being transparent enough and not being "creepy" about how and which personal data they process, and know when to use it for personalization or process improvement.

With GDPR in mind, what should companies be looking for in their technology platforms?

Bouten: Companies need to make sure that their technology platforms are designed using the principles of "privacy by design" and "privacy by default" as well as taking into account relevant data security principles  as foundational elements. Since GDPR aims to give individuals more control about how their personal data is processed, companies have to understand that this is a shift in mindset, and is going to be a defining feature of how software is going to be designed in the future.

What is Showpad doing about GDPR?

Bouten: Showpad was initially designed with privacy in mind. We've always had the privacy and security of our users and their personal data as key priorities, and we're "ahead of the curve" when it comes to GDPR (e.g. Showpad's principle hosting infrastructure is located within the EU at a first-class world-renowned hosting partner). 

However, in close conjunction with the Showpad data privacy officer, we are rolling out several key changes to our product to make sure we stay at the forefront of this shift, which focus on empowering our users and provide them with more transparency to understand how their personal data is processed.

Our product will feature extended privacy settings allowing our customers to adjust privacy settings to what they require, seek both our users' and their prospects' informed consent before we track interactions with content shared through the Showpad product (e.g., providing them with high level information about the type of processing and easy access to the respective privacy policy before confirming consent in a compliant manner), as well as enabling the individuals whose personal data is processed to exercise their rights.

We've also added features that let users opt out of cookie tracking capabilities, along with a feature that anonymizes data for entire user groups.

Also thanks to the effort of our data protection officer and information security team, our internal organization will remain a first-class organization when processing personal data as well as when dealing with its suppliers.

What are the benefits of GDPR for organizations?

Bouten: The benefits of GDPR for organizations are twofold. First, at a simple level, organizations that embrace GDPR and implement it throughout their organization, even U.S.-based businesses, are seen as more user friendly and more trustworthy from the consumer side. That has many benefits.

Second, GDPR is a way for the EU to give businesses simple and clear rules for the processing of personal data. The regulation will make processes standardized throughout the EU to avoid claims of misunderstanding and reduce confusion for companies that operate in multiple geographies.

What are the risks of GDPR for organizations?

Bouten: One of the biggest risks for organizations when it comes to the upcoming GDPR is the time and money it may take to comply. Updating IT infrastructure is typically a challenging process, and while the May 2018 deadline still seems far away, that date will come much quicker than expected. Companies have to make sure their systems are updated in time, and that their capital and labor investments are utilized correctly and not wasted, otherwise they may face fines and even more investment decisions. Keep Reading: