Why stations must comply with GDPR, and how they can do so
A new era in the governing of online privacy and personal data rights was ushered in after the European Union's General Data Protection Regulation (GDPR) went into effect May 25, 2018. An overarching policy long in the making, GDPR grants EU citizens new rights to their data, increases oversight of data handling by private companies and puts the onus on them to comply with the wide-ranging directive.
While U.S. public and religious broadcasters might think that GDPR doesn't affect them because they're on the other side of the Atlantic Ocean, the reality is the exact opposite. It's imperative these organizations understand that GDPR regulations apply to any company with European customers. It doesn't matter where that firm is located in the world, if it does business with European citizens or collects their data in other ways, the regulations of GDPR must be followed. Otherwise, noncompliant organizations can face incredibly stiff penalties.
While GDPR may seem like a complex monolith, there are concrete steps stations can take to bring themselves in line with data handling expectations. Doing so is important even for companies that don't currently have relationships with European donors, as covering all your data bases can ensure safety no matter what happens in the future. Here are some essential points about GDPR that stations must understand and some strategies they can adopt to better prepare themselves.
What is GDPR?
"Organizations can be fined up to 4 percent of the annual global turnover or €20 million."
The final product of years of development and review, GDPR represents a sea change in the way data is regulated and addressed by governing authorities in the internet age. In a world where businesses and organizations of all sorts collect increasing amounts of customer data, and where high-profile hacks expose the private information of millions, data protection has taken on all-new importance. According to the GDPR website, the aim is to "protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which [the original] 1995 directive was established."
The key pillars that underpin the GDPR framework work to advance EU citizen data rights while also holding data-holding organizations to a higher expectation. Some of the most notable changes of GDPR include:
- Expanded regulatory scope and rights of EU citizens: The outsized effect of GDPR can be traced to the expansion of both territory covered and consumer protections granted. Not only does GDPR explicitly apply to all data controllers and processors established in the EU, but also to controllers and processors outside the bloc that store, collect or otherwise come into contact with data of EU citizens. Those consumers now have codified rights, like to data deletion and to data access, that build on protections previously enjoyed.
- Mandate to acquire consent: Organizations collecting EU citizen data have to clearly present users with the option to consent or decline. This regulation was sharpened to cut through the legalese many overwrought terms and conditions contracts present to consumers.
- 72-hour breach notification turnaround: Once a data breach has been identified, organizations have three days to craft their response and notify potentially affected individuals, as well as data protection authorities.
- Significant penalties for noncompliance: Aside from the increased scale of oversight, the other most noteworthy effect of GDPR is the consequences for noncompliance. If found to be in breach of GDPR (like bypassing consent, unsafe handling or foregoing breach notification), firms can be fined up to 4 percent of the annual global turnover or €20 million.
What steps can stations take?
While complying with GDPR may seem like an overwhelming effort, there are simple steps stations can take to bring their operations in line with data handling expectations set out by the directive, whether or not they currently interact with data from EU citizens. These options include:
- Assessing your current situation: Stations need to perform an audit of their data practices and obligations in light of GDPR to uncover any potential liabilities. Having a top-down view of data and how it's handled within the organization can help highlight areas of improvement needed to conform with GDPR.
- Overhauling opt-in: Stations can get ahead of the curve by bringing consent to the front of all donor interactions that require it. This can have the dual advantage of not only protecting the organization from possible noncompliance, but also increasing transparency, which can then boost users' trust.
- Keeping data clean: According to GDPR, organizations storing EU citizen data have to justify doing so. For example, if an overseas donor hasn't engaged in years, the station may have a hard time finding grounds for further storage of that information. Outreach is crucial here, as communicating to donors about their relationship with station, as well as their data, is important to compliance.
Under these new data regulation conditions, stations may feel pressured to comply and keep operations stable. The right donor management software can, however, grant them the tools and capabilities needed to support data practices and user communication. Talk to Allegiance Software today about finding that solution to your GDPR concerns.