Facebook CEO Mark Zuckerberg stood before the US Senate in a two-day multi-hour hearing in the aftermath of the Cambridge Analytica debacle which is also facing separate legal action. Among a mass of questions on how data and technology have been and will be used, a principal, resounding and reoccurring topic among the questions were around the themes of data privacy, abuse, protection and use. One US senator states, “Many are incredibly inspired by what you’ve done. At the same time, you have an obligation, and it’s up to you, to ensure that dream doesn’t become a privacy nightmare for the scores of people who use Facebook.”
Protecting Your Data: New Regulations
As Facebook, the US and UK deal with the aftermath of the data privacy issues Cambridge Analytica highlights, a new law is coming into enforcement in Europe. Adopted on April 27th, 2016, the General Data Protection Regulation (GDPR) aimed to streamline and harmonize the level of data protection throughout Europe and to simultaneously enable the free movement of data for controllers (e.g. companies). The two-year grace period intended for businesses to prepare for compliance is ending with enforcement starting on May 25th, 2018. In full force, the law will affect all businesses that:
- process personal data through an establishment in the EU,
- through a processor (e.g. supplier) in the EU, or
- process personal data of individuals who are in the EU regardless if the company maintains a business in the EU.
A recent Wired article titled, “Congress won’t hurt Facebook and Zuck, but GDPR and Europe could,” poignantly notes the reach of GDPR for the American social platform. “GDPR covers not only individuals based in the European Union but also data that is processed there. Since Facebook’s global data processing unit is in Ireland, that means any of its users outside the US and Canada are subject to its terms. On May 25, everyone from Australia to Zimbabwe gets new rights.” Organizations around the world will be forced to change how they collect, store, manage and analyze data, Facebook included.
- Consent. The GDPR introduces a much higher bar for obtaining a valid consent. Companies who rely on consent as lawful basis for data processing must secure informed consent from customers, employees or research participants in clear, unconditional and unambiguous terms before collecting their personal data. Companies must be able to document both the transparent information of respondent as well as the consent itself. At any time, individuals must also be able to revoke their consent any time if they so choose.
- Individual’s rights. The new legislation grants customers, employees or research participants more control over the processing of their data. The GDPR provides new and enhances rights such as the right to object, not to be subject to profiling, and data portability.
- Accountability. Companies must establish a data management system which requires them to document their processing activities and demonstrate how they comply with the GDPR.
- Privacy Notices. The GDPR increases the amount of information that companies must provide to their employees, customers and research participants if they want to collect and process personal data. This information must be provided in an easily accessible form, using clear and plain language.
The GDPR also covers breach notification, personal data reports, data erasure, privacy by design and privacy by default. (Our previous blog details some of those changes.)
In a digitally small world, GDPR’s changes will have far-reaching impacts including giants like Amazon, Google, and Whole Foods. It will affect HR, ecommerce and ad-tech, among countless others. Despite the two-year grace period, organizations are not ready. MarTech article states over 60% of US businesses are not ready for the regulation, and only 67% of EU businesses are in the implementation phase of their compliance programs. Organizations found to be non-compliant with the GDPR can face fines of €20 million or 4% of annual global turnover, whichever is greater.
GDPR and Your Feedback Data
In light of the Cambridge Analytica-Facebook controversy, many are heralding the oncoming GDPR enforcement as progress in data protection and privacy. It would be prudent for all organizations to take a hard look at their own data privacy and protection policies—even more so in relation to GDPR compliance. And where does the social giant stand on that front? Interestingly Zuckerberg’s session notes from yesterday state, “GDPR [Don’t say we already do what GDPR requires].”
At Questback, we take privacy, security and compliance very seriously. To this end, our team has been preparing for the GDPR since 2015 to ensure that our solutions help our customers access the critical data they need to grow their operations—without having to worry about violating the new set of regulations. Headquartered in Europe, our data centers in Germany were designed to meet the highest security requirements. To extend our privacy protections further, we’re also in the process of adopting Binding Corporate Rules. Questback’s solutions will enable you to create and conduct your surveys in a privacy-compliant fashion.
Adapting to any major changes in legislation is hard work. We’re here to help make your transition as seamless as possible, and we look forward to keeping you informed as we approach implementation. When it comes to your customer, employee or market insight, Questback is the safe choice. Our customers can use our products with the peace of mind that comes with knowing the feedback data they’re collecting and the way it’s stored and processed are GDPR-compliant. It’s that simple.