Blog | Gathering Insight Under the GDPR: What You Need to Know
Customers, employees or market research participants—chances are you gather and value their insight. Whether customer experience feedback, employee engagement metrics or market research data, this type of information is invaluable to organizations as they compete in today’s digital world. As such, most organizations (if not all) collect and store some these insights.
A major new set of privacy regulations is changing how organizations manage and address data privacy and security concerns. It will likely force you to change the way you operate to avoid severe fines or other penalties. This is what you need to know when it comes to collecting insight under the new laws.
Called the General Data Protection Regulation (GDPR), these new laws apply on May 25, 2018. The regulations—which give people more control over their personal data (e.g., email and IP addresses)—represent an overhaul of Europe’s existing privacy laws which have been on the books since 1995. GDPR comes along with new local laws in each EU country that specify regulation where the GDPR allows to do so.
GDPR will drastically change how organizations process personal data and interact with their customers, employees and the market at large. What will change when the GDPR is officially enacted? Some of the major differences are:
- Consent. The GDPR introduces a much higher bar for obtaining valid consent. Companies who rely on consent as a lawful basis for data processing must secure informed consent from customers, employees or research participants in clear, unconditional and unambiguous terms before collecting their personal data. Companies must be able to document both the transparent information of respondent as well as the consent itself. At any time, individuals must also be able to revoke their consent any time if they so choose.
- Breach notification. Companies must inform their supervisory authorities within 72 hours of finding out about a data breach. They also have to inform their customers, employees or research participants with undue delay if the data breach is likely to result in a high risk to their rights.
- Companies must provide their customers, employees or research participants with copies of their personal data upon request.
- Data erasure. Companies need to respect the customer’s, employee’s or research participant’s right to be forgotten by deleting personal data when it’s no longer relevant or when consent is withdrawn.
- Privacy by design. Privacy by default. Companies must build systems or select solutions with privacy by design and by default—data privacy cannot be tacked on as an afterthought. Any system that processes personal data should only collect the data they need to collect—and nothing more. Simultaneously, any pre-installed features should be set up to protect privacy by default, requiring users to intervene to share their data. In contrast to today’s methods, organizations and solutions must not just be privacy-friendly but also advocates in the experiences and solutions they provide.
Failure to comply with the GDPR can result in a fine up to 4% of annual global turnover or €20 million, whichever is greater. Although the GDPR has been on the horizon for some time, many organizations aren’t prepared for its implementation. In fact, recent studies highlight this lack of preparation. Only 40% of European companies are ready for the GDPR, and across the ocean, a mere 6% of North American companies are ready for its implementation!
Despite the relative lack of readiness, organizations can still take steps towards GDPR compliance by being selective in choosing their solution providers. In fact, GDPR imposes this duty on companies! Article 28 of the GDPR stipulates that organizations are responsible for diligently selecting service providers, utilizing only those that provide sufficient guarantees to meeting the GDPR requirements and ensuring the protection of the rights of the data subject. Thus, by partnering with compliant and forward-thinking solution providers, your organization can not only ensure compliance but also reduce risk and gain a few steps on your slower-moving competitors.
Ensuring GDPR compliance starts with determining whether your data processor (like Questback) is compliant.
At Questback, we take privacy, security and compliance very seriously. To this end, our team has been preparing for the GDPR since 2015 to ensure that our solutions help our customers access the critical data they need to grow their operations—without having to worry about violating the new set of regulations. Headquartered in Europe, our data centers in Germany were designed to meet the highest security requirements. To extend our privacy protections further, we’re also in the process of adopting Binding Corporate Rules. Questback’s solutions will enable you to create and conduct your surveys in a privacy-compliant fashion.
When it comes to your customer, employee or market insight, Questback is the safe choice. Our customers can use our products with the peace of mind that comes with knowing the feedback data they’re collecting and the way it’s stored and processed are GDPR-compliant. It’s that simple.
Over the next few weeks, we will be publishing a few more blogs to give you a better understanding of why the GDPR matters, what you should consider when looking for a GDPR-compliant solution provider and why you should invest in solutions that were built with the GDPR top of mind (instead of retrofitted at a later date).
Adapting to any major changes in legislation is hard work. We’re here to help make your transition as seamless as possible, and we look forward to keeping you informed as we approach implementation.