Is your company compliant with GDPR standards? Do your current sales campaigns reflect the regulations set forth by the GDPR? How will you proceed with your sales proposals in the future to stay compliant? Here is: Sales proposals and GDPR compliance and how companies are changing their sales technologies to meet the new standard.
Cybercrime has become a serious threat to companies around the world. The European Union (EU) is a common target for cybercriminals. Cybercrime makes protecting the personal data of your customers of the utmost importance.
During the first half of the year, 4.5 billion personal records were compromised in Europe.
During this period, there were nearly 60,000 data breaches of companies in the EU. The GDPR was instituted to tighten the cybersecurity of companies that hold personal data of EU citizens.
The new compliance protocols put in place have changed the way businesses operate regarding personal data. This also means that there must be a different sales approach incorporated.
What is GDPR?
Before venturing into the implications of GDPR on sales proposals and technologies related to the standard, we must first detail what exactly GDPR is and what it entails. The European General Data Protection Regulation (GDPR) was implemented for businesses in EU countries.
The GDPR was developed to protect EU citizens’ personal data while also giving them more control over their own personal information. As of May 25th of 2018, all EU companies that maintained personal data in large databases were forced to comply with GDPR.
The GDPR applies to any company doing business in the EU and is also enforceable in some countries with a considerable amount of EU customers. The UK government has stated that Brexit will not have any effect on GDPR. Following Brexit, the UK will update the Data Protection Act (DPA) to reflect the GDPR protocols.
Based on GDPR, any business that engages in ‘regular or systematic’ monitoring of large-scale databases of personal consumer data or gathers and maintains extensive volumes of ‘special category data’ must hire a Data Protection Officer (DPO) on their staff.
The Data officer is needed to ensure company compliance with the regulations of GDPR. If there are any compliance issues, the DPO is the company’s contact person. Serious breaches are to be reported to regulatory bodies within 24 to 72 hours.
Individuals currently have more control over their personal information and how it is used. GDPR gives consumers what it refers to as the ‘right to be forgotten’ if they wish to be removed from a company’s database.
GDPR Compliance Checklist
Small businesses are to implement the following checklist to stay in compliance with GDPR:
- Understand your data. You need to have a solid grasp on the types of data you gather and maintain in your database (i.e., names, phone numbers, email addresses, home addresses, banking information, IP addresses, etc.) and information deemed sensitive or ‘special category’ (i.e., health records, whereabouts, religious affiliations, etc.).
- Review your consent policy. GDPR requires companies that market online to get clear, explicit, and specific consent form customers and prospects to add them to their contact list to market to them via email.
- Evaluate security policies and measures. Companies have to update their policies and procedures to reflect the protocols of GDPR. The general use of encryption will help uphold the security of customer data.
- Prepare to accommodate access requests within a month. Under GDPR, consumers can request access to their personal data. They are also able to correct and rectify any discrepancies found in the records. Companies have a month from the date of the inquiry to respond to such requests.
- Notify your staff about reporting requirements. If there is a breach, companies must report this to that particular country’s governing bodies within 72 hours. Outline what is considered a personal data breach and detail the tale-tell signs to look for to recognize a potential breach.
- Assure supply chain compliance. Even if your company is up to code with the compliance measures, your supply chain’s compliance has to be evaluated. If your trade partners are not compliant, it can expose your customers to potential cybersecurity threats.
- Draft fair processing notices. Per the specifications of GDPR, companies must describe how customer data is being used.
- Determine whether your company needs a Data Processing Officer. While many small businesses will not require the services of a DPO, if your business is engaged in the large-scale monitoring of data sets on a systematic and regular basis, GDPR requires your company to hire a DPO.
Data Retention Policies
Under GDPR, companies are forbidden to hold on to personal data for longer than is deemed necessary. Businesses are also restricted from using personal information in a way that is inconsistent with the original expressed purpose.
Putting a policy in place regarding the timeframe that personal data is held and the process and timing of purging your records of old personal data.
How is Consent Defined?
To stay compliant with your sales campaigns and proposals, properly defining consent is crucial. An individual has to knowingly and willingly opt-in to your mailing list to be sent email campaigns.
The opt-in means that consent boxes cannot be pre-checked. The call to action for consent is to be clear and explicit. Marketing to prospects without consent constitutes a violation of GDPR.
GDPR Consent Checklist
Throughout drafting your sales proposal and conducting your general activities, the consent process must coincide with the regulatory guidelines. The following checklist gives the specific requirements businesses are ordered to adhere to.
- Evaluate and revamp your current consent practices to determine adherence to and meeting compliance requirements
- Explicit consent is defined as a very clear and specific statement that gives consent to use data for communication purposes.
- Be clear, explicit, and specific about requesting consent.
- Give prospects a genuine choice and full control of their data.
- Avoid requiring consent as a precondition to the provision of services.
- Do not have boxes pre-checked on opt-in forms.
- Any third parties that will utilize the information given must be named.
- Requests for consent are to be kept separate from the terms and conditions.
- Make consent withdrawal steps simple.
- Maintain evidence of consent
Penalties of Violating GDPR
The penalties of violating GDPR are strict. The punitive nature of the penalties is intended to keep violators from committing repeat violations.
For instance, before GDPR in the UK, the Data Protection Act (DPA) imposed a maximum fine of £500,000 for companies with data breaches.
Under the more stringent specifications of GDPR, there is a maximum fine of £20 million or 4 percent of the annual global turnover, based on which is higher.
Aside from monetary fines, there are also possible prison sentences to be handed out to deliberate violators of the regulation. Specific procedures and activities are also enforced to put breached companies into compliance.
Penalties of a data breach.
The severity of the penalties of suffering a data breach is enough to threaten some companies with insolvency if they are charged and fined.
Aside from the measures taken by governing bodies, if a breach occurs, it is also important to note that customers can also sue the companies that fail to protect their personal and sensitive data.
Sales to EU Citizens
Any company doing business in the EU must adhere to the GDPR if they maintain large databases of personal data. This includes businesses that are based in foreign jurisdictions that do business in the EU.
Regardless of where your company is headquartered, you will need to devise a compliance strategy to secure your database if you intend to do business in the EU.
GDPR Compliance Technologies and Tools
It takes an assertive effort to maintain the security that a company needs to comply with the new standard. Sales departments must work closely with IT departments to communicate the needs of each other to maintain security.
Your team should build a sales proposal that highlights the changes and makes consent requests transparent and apparent.
Some technologies exist to make the process of converting over to the GDPR standard as effortless as possible.
Incorporating these technologies into your sales proposal and general operational processes will keep your sales team’s procedures and practices compliant.
- Individual Rights Compliance: Individual rights compliance is a technology that allows companies to generate customized individual rights request forms. This technological solution also sends notifications and reporting automation to keep companies compliant with the new standard.
- GRC Solutions: While not a new technology, governance, regulations, and compliance (GRC) solutions are services available by vendors experienced in maintaining data security and keeping companies compliant with government regulations, this includes GDPR. GCR solutions have been used to uphold a plethora of compliance regulations in the enterprise IT sector.
- Automated Data Protection: The most efficient way to ward off cyberattacks is by instituting an automated machine-driven approach that is malleable and diligent. The automation of manual data protection procedures and increased visibility of the in and outflow of data is the objective of this technology. Companies must embrace new security measures, and the Data Protection Officer should be at the helm of the transition to ensure that the integrated systems thoroughly protect consumer data.
- Data Mapping: The penalties and stringent specifications of GDPR require that organizations use precise and airtight practices. Much of the concerns expressed by the standard revolve around the classification of the data gathered. With data mapping, the type and scope of the data collected can be ascertained and properly classified. Implementing data mapping technology will help keep data from slipping through the cracks by properly identifying and classifying it in a timely manner.
- Managed File Transfer: Businesses that collect personal data are often required to handle the sending and receiving of files containing sensitive and personal information. Managed file transfer (MFT) technologies securely transfer, collect, and store files that contain personal and sensitive data. The protected transfer of these files shields the data they contain to assist with compliance demands.
- Privacy Impact Assessments: Consistent monitoring is required to minimize the likelihood of a security breach. Investigatory measures like privacy impact assessments can be the difference between facing the wrath of regulators or protecting your customer database. Take into account the privacy risks that arise from different company functions like acquisitions and mergers, product launches, and geographically expanding a company’s footprint. Privacy impact assessments take a holistic view of a companies activities and determine the viability of the data protection factor.
- Pseudonymization Technologies: Encryption and data masking are critical elements in the IT fight against cybercrime. Pseudonymization is a process that the GDPR references. This process entails the dissection of a consumer’s personal data file into various pieces stored in different locations. Pseudonymizing data files makes it nearly impossible for cybercriminals to reassemble a customer’s entire data profile.
Selling GDPR Compliance as a Benefit
With the new standards, the consumers also need to do a bit more to verify and keep their information secure. To avoid the frustration that comes with imposing additional measures on customers, it helps to sell the GDPR compliance protocols as a benefit of protecting the personal and sensitive data of your customers.
Mentioning the GDP compliance in sales campaigns is a preemptive way to address the issue as a selling point.
Monitoring GDPR Compliance Among Sales Teams
With so much on the line, if there are a security breach and compromised data, there is a constant need to evaluate your team members to make sure that they are following the new standard to the letter.
There must be a zero-tolerance policy regarding the protection of customer data.
Embracing the new regulations for protecting EU consumers’ personal information will help your company stay in compliance. When implementing the new protocols, there needs to be specific attention paid to your company’s sales division.
Some procedures and tools will keep the members of your team on the same page.