It's May! If you're like us, you're probably wondering how the past four months flew by so quickly (our annual innovation manager forum in Bonn had something to do with it for us!). If that's the case, then you may also be surprised to learn about a major deadline happening at the end of the month. No, it's not the close of your latest idea campaign; it's GDPR compliance!
Jokes aside, we hope you're already aware of GDPR and have dotted your "i"s and crossed your "t"s. But for those in innovation management who might be hearing this acronym for the first time, we're here to help.
Below, we provide an overview of what GDPR is and what it means for your company (yes, even companies not based in Europe!).
1. What is GDPR?
To start, the acronym of GDPR stands for "General Data Protection Regulation." That's a mouthful, which is why we (and everyone else) simply call it GDPR. It's like saying "LOL" or "YOLO," but less fun.
So, what is GDPR? It's a regulation put in place by the European Parliament, the European Council, and the European Commission intended to fortify and unify data protection within the EU.
Every company stores data from their employees, customers, or partners. For us – as individuals – in times of Facebook and Cambridge Analytica scandals, it is not transparent what kind of data companies gather, how they'll use it, or if they'll share it with another company.
Companies will need to make sure that they inform people before collecting any personal data, that the person gives explicit consent to process that data, and that those companies choose adequate technical and organizational measures to protect the data. On top of this, people will have the right to get a report of the data a company has stored. You will also be able to have your personal data deleted.
2. When does my company need to comply?
The GDPR is in force since 2016 and companies had two years to adapt. The GDPR will finally be applicable as of May 25, 2018. That means if you've put it off until two weeks before, now is the time to get moving.
3. Why does GDPR exist?
GDPR is about transparency and about ensuring that everyone keeps control over his or her data. In general, people will be better informed and get more insight into how their data is processed.
Germany and a few other member states of the EU have had a law for data protection for a couple of years. However, the fees attached to violations were not relevant. As of May 25, this changes now significantly: A company violating the GDPR may be charged up to 4 percent of their worldwide revenue, or 20 million euros (whichever is more painful). For example, for Facebook, this could mean a fine of 1.4 billion euros.
Another goal of the GDPR is to harmonize data protection regulations as it applies to all EU member states. So, all companies will have to be compliant with the same requirements.
4. Which companies does the GDPR affect? And what if my company isn’t part of the EU; why should my company care?
All companies which process personal data within the European market, or do not process the data within the European market but offer services for the European market, are affected. As an example, Facebook, as a U.S. company, needs to comply because it obviously provides a service for Europeans regardless of the location of its servers. On the other hand, suppose you are a car dealer in Chicago selling cars mostly to people in Chicago, and of course, you also have a website. The website is open for Europeans, as well. But the point is that you do not address the European market. In this case, the car dealer probably does not need to comply. But what if the dealer has a German website as well? Or if it offers worldwide delivery? When in doubt, always discuss with a lawyer.
5. Okay, but how does it really affect businesses outside of the EU?
GDPR applies to the processing of personal data of persons who are in the EU as long as the processing activities are related to the offering of goods or services to such persons or to the monitoring of their behavior as far as their behavior takes place within the EU. Therefore, for example, if a U.S. company has European employees located in the EU, it must comply, too.
6. What types of privacy data does the GDPR protect?
Personal data is, e.g., your name, address, email address, favorite color, etc. It also includes your IP address or any ID that a company could use to identify you.
7. How is HYPE set up to meet the regulation’s requirements?
The GDPR is a regulation which our innovation management customers typically need to comply with. The GDPR requires to implement processes, but it is up to our customers, (yes, you!) to decide how these processes are implemented in detail. We talked to many of our customers to make sure the HYPE innovation software is ready to support them. If you have any lingering questions, feel free to email us here.