What is the GDPR?
The GDPR – which replaces the Data Protection Directive in effect since – applies to any organization dealing with customers residing in the EU and will go into effect in May.
The main goals of the GDPR are to give individuals more rights and control over their personal data, and ensure this data is secure. Specifically, the GDPR regulates the collection, storage, use, and sharing of "personal data,” defined as any data that relates to an identified or identifiable natural person. Note that the regulation doesn’t distinguish between a person’s private, public, or work roles as relates to data.
Personal data can include, but is not limited to, the following:
- Online identifiers (e.g., IP addresses and cookies)
- Employee information
- Sales-related data
- Customer service data
- Credit and debit card numbers
- Customer feedback
- Physical details
- Social media posts
- Cultural identity
- Location data
- Biometric data
- Loyalty program records
- Financial information
In fact, any information that is somehow linked and tracked back to an individual – even if through an account number, unique code, or pseudonym – is considered personal data.
Moreover, you need to follow more stringent rules when it comes to processing certain "special" categories of personal data, such as that reveals a person's racial or ethnic origin, or concerns their health or sexual orientation.
Under the GDPR, individuals can demand to know exactly how their data will be used, request access to and get a copy of their stored data, and even request it be corrected or removed from a company’s systems. They can also restrict or choose not to allow their personal data to be subject to automated processing, and can even demand that it be erased (i.e., they have the “right to be forgotten.”) If they choose to do so, they can move their data between companies.
Here are more specifics about three key areas of GDPR focus:
- Individual’s rights. Consumers (and your employees) have a right to know who is collecting data, for what purpose, and how long are you (and your partners and service providers) are going to keep it.
- Security measures. You and your partners/service providers need to put in place appropriate security controls and satisfy new obligations. Perhaps most importantly, your company can’t pass off responsibility for the security of consumer and employee data to a third party.
- Breach Notification. Within hours of a breach occurring, your company must notify the authorities and, in cases of high risk, affected individuals as well.
Six Key Principles
In addition to addressing the previous three main areas, your organization – and your partners/service providers – need to comply with the following six key principles if you collect or process personal data:
- Demonstrate transparency, fairness, and lawfulness in how you collect, handle and use personal data. You clearly communicate to the consumer about how you are collecting or using personal data and you will need a "lawful basis" to process that data.
- Limit the processing of personal data to specified, explicit, and legitimate purposes. You won’t be able to reuse or disclose personal data for purposes that are not "compatible" with the purpose you originally collected the data
- Minimize the collection and storage of personal data. You should only collect and store what is adequate and relevant for your intended purpose.
- Ensure the accuracy of personal data and enable it to be erased or rectified. You will need to ensure that the personal data you store is accurate and can be corrected if need be.
- Limit the storage of personal data. You must only retain personal data for as long as necessary to achieve whatever you intended when you collected the data.
- Ensure security, integrity, and confidentiality of personal data. You must use technical and organizational security measures organization to keep personal data secure.
Chatbots will quickly prove themselves useful for GDPR compliance: they can help get consent, update information or offer accessible opt-out options for prospects. Essentially, they reduce the pain and the necessary steps required to update your customer, prospect or candidates’ files.
You can import your our GDPR template bot here. It is a very comprehensive bot that fully explains the law. It has two conversational paths, one for business, one for individuals. After detailing the law, the business path tests your understanding with a game. For individuals, it shows you how to identify businesses that might be violating GDPR law.