GDPR stands for General Data Protection Regulation. It’s a set of rules implemented in the European Union, designed to give people in all EU countries more control over how their personal data is used by advertisers—and simplify compliance for businesses across Europe.
These new rules require companies to protect the personal data they collect, document how that data is protected, and get consent for use of that data—which will have a big effect on any business that collects data for marketing purposes. Including those in the insurance business.
Here are a few things to know about GDPR.
It’s European legislation, but it affects US businesses. It doesn’t matter if your company isn’t based in Europe. If your website collects and uses personal data from people who live in the European Union, you have to comply.
And non-compliance can be expensive. The maximum fines are €4 million or 4% of your annual income. This figure isn’t set in stone, however, and fines will be set depending on the severity of the breach and the organization’s response.
In general, if you do get pinged for non-compliance, you can reduce the likelihood of a large fine by showing that you’re doing all you can to obey the rules, rather than ignoring them.
What rights do consumers have under GDPR?
Here’s a look at the basic rights your customers and visitors have under the new rules.
The right to be informed. People have the right to know how you’re collecting and using their personal data. You have to inform visitors why you’re processing that data, how long you plan to hold on to it, and who you’ll share it with. This needs to happen when you collect the data.
The right to access data. People have the right to access personal data you collect under GDPR. They can make that request either in writing or verbally, and you have to comply within a month. You aren’t permitted to charge a fee for this in most cases.
The right to rectify information. Individuals have the right to correct inaccurate data about themselves. As with the right to access, people can make the request verbally or in writing, and you have a month to comply.
The right to erasure. Also known as the “right to be forgotten,” this measure allows individuals the ability to ask that you delete all their data wherever it’s stored. Again, the customer can make a verbal or written request, and you have to respond within one month.
The right to restrict. People also have the right to ask you to suppress the data you’ve collected. That means you can keep storing their personal data, but you can’t use or process it.
The right to portability. People have the right to get their personal data from you and reuse it across different services, systems and IT environments for their own benefit, with no security compromises.
The right to object. People also have the right to object to you processing their personal data under some circumstances, and stop you from using it in direct marketing. You have to inform them about this right.
How to comply with GDPR
Every company and organization is different, and you may have specific needs when it comes to GDPR compliance. This list is by no means exhaustive, and it can be worth it to talk to a consultant. However, here are some general guidelines.
Make sure the right people in your company know about this. Is your company large enough to have an IT department, marketing team or cyber security specialist? They need to know the rules, assess where your company is in terms of compliance, and help you put measures in place that ensure compliance.
Know what data you’re collecting and from whom. All personal data from customers, prospects, and employees counts. If you don’t know how your organization collects and stores that data now, you’ll need to find out.
Overhaul your privacy notice. When people sign up for your newsletter or marketing messages, or become your customer, you collect certain data from them. Your privacy notice should explain how you plan to use that data, how long you’ll keep it, your lawful basis for collecting it, and their rights regarding this data.
Overhaul your processes for compliance. GDPR gives people the right to see the data you collect; ask you to restrict, delete, or change it; and take it with them. Someone in your organization should be responsible for meeting those requests—and know how to find, change, or delete that information.
Know your lawful basis for collecting information. GDPR requires that you document your lawful basis for collecting certain information. This means different things for different organizations, but in general it involves demonstrating that you need that data to function and you have a legal right to collect it. Your lawful basis must touch on at least one of the following:
- The individual’s consent to their data being collected and processed.
- A need to comply with a legal obligation or contract.
- A need to protect interests “essential to the life of” the individual.
- A need to protect the public interest.
- A need to fulfill a legitimate interest such as fraud prevention.
Know how you get consent. Consent is an important part of the lawful basis many companies have for using personal data. Customers must be able to give consent freely and take it away easily. Avoid passive measures that rely on customers not opting out.
Be able to detect a data breach. If hackers get to the personal data you collect, your company will be held responsible. You’ll need processes in place to detect and investigate data breaches, and you’ll have to report them to the proper authorities—as well as the people affected, in some cases. You’ll also need to show that you have the right measures in place to guard against cyber hacks.
Appoint someone to manage GDPR compliance. GDPR regulations state that any public organization that processes data needs an appointed data protection officer. This person will keep the company informed about GDPR issues, manage compliance, and communicate with authorities.
Complying with GDPR isn’t just necessary from a regulatory standpoint—it’s also good practice. Showing transparency and allowing individuals control over the data you collect builds trust—and that’s good for business in an industry that’s built on relationships.