GDPR and customer data

How much impact does GDPR have on the way you process customer data? The answer will depend on your company and how you are using personal data now. Some companies will need to invest big in data security and GDPR legal advice. Others may already be on the right side of the law, or very close to it.

For example, if you collect and share personal data without permission or without protecting it, look out. It’s time to make some big changes, and quickly. On the other hand, if you are quite careful and conservative in the way you use personal data, awesome! GDPR compliance may only require some small tweaks on your part.

In fact, for a small company that collects a minimal amount of customer data and only uses it to provide services, GDPR’s spotlight on privacy is an opportunity to shine. Small, service-oriented businesses have an advantage here. Their profits do not depend on collecting data on a large scale and monetizing it. With just a few adjustments to policies and procedures, you can easily become compliant with GDPR and signal to your customers that their data is safe with you. In this way, you’ll set yourself apart from some of the larger players who are often in the press for furtively hoarding and exploiting people’s data.

Let’s talk about whether your customers are protected by GDPR. Then, we’ll consider how your company uses customer data. Finally, we’ll list some best practices for compliance when it comes to customer data.

The General Data Protection Regulation (GDPR) protects the data and privacy of people who are in the European Union and the European Economic Area. So this includes:

• EU citizens who live in the EU
• EU citizens who live abroad
• Foreign residents in the EU
• Visitors in the EU

This gives GDPR a broad scope. If your services or website is available to any of the groups above, or you market to them, you should comply with GDPR. Further, it’s important to remember that many other countries have now created their own data protection laws. Many of these are closely modeled on GDPRs with a similarly broad scope. Therefore, key rules and best practices for handling customer data in GDPR may apply worldwide.

Now, consider how your company uses customer data. What do you ask people for and how do you use it? Here are some of the ways you may be using customer data right now:

To provide goods and services

Throughout history, people have exchanged goods or services with one another.  This is still the backbone of commerce. However, these days, it is not as simple as swapping items with your neighbors. Usually, you will need some personal information about your customers to deliver a service or product. This includes data you collect to fulfill orders, process payments, and deliver goods. All this personal data is subject to GDPR rules, whether you collect it online, over the phone, or in person.

For personalization and customization

Depending on your product or service, you may collect additional personal data from people about their preferences. You can use this type of personal data to personalize and tailor the customer experience. Knowing something about the person can help you recommend relevant products or services. Further, collecting information about their past purchases or browsing history lets you improve their experience on your website. For example, by providing them with customized content and recommendations.

For customer support and communication

You also need customer data to facilitate effective customer support and communication. This includes customer contact details to respond to inquiries, provide updates on orders, or resolve issues. Customers may also share additional data and even sensitive data with your customer support representatives. So make sure you take the data in customer service databases and chats into consideration and protect it.

For marketing and advertising

Customer data plays a significant role in marketing and advertising activities. It can help you conduct market research, understand people’s preferences, and segment customers into target groups. This, in turn, lets you create targeted marketing campaigns and content. For example, promotional emails that are relevant to different customers and leads.

To improve your business

Customer data can give you insights into customer behavior, preferences, and trends. This can help identify patterns and understand market dynamics. Then, you will know how to improve your products or services and make informed business decisions. Data analysis can also be used to optimize your pricing, inventory management, and overall business operations.

For compliance and legal requirements

You may need to store customer data to fulfill legal obligations and regulatory requirements. This includes maintaining records for tax purposes, verifying customer identities to prevent fraud or money laundering, or responding to legal requests or government inquiries. Certain sectors, such as the healthcare sector, may be required to keep data for a set time period.

Sharing or selling customer data

The above are some of the most common ways you may use customer data within your company. And they are all subject to GDPR rules. But you should also consider whether you share data outside your company for any purpose. For example, you may share data with your business partners, like vendors, suppliers, or service providers.

Giving these third parties access to customer data can help you deliver your products and services, improve customer experience and streamline your business.  However, such sharing is subject to strict GDPR rules and conditions. Finally, if you collect data on a large scale, sell/monetize it, or share it internationally, requirements become even more stringent.

To start with, GDPR requires you to have a legal basis for collecting personal data. Getting consent is one of the most common and straightforward ways to be sure you have that legal basis. Even if you get consent verbally, make sure you document it.

Your consent forms should be clear and easy to understand. They should state the reasons why you are asking for personal data. They should also mention what you will or will not do with the data, and include a link to your privacy policy. If you share or sell data, you should usually get specific consent to do so.

The GDPR principle of data minimization affects how much data you should collect from customers. It states that you should only collect and process the minimum amount of customer data needed for your stated purpose. This principle aims to limit the exposure of people’s personal information and risks to their privacy. Inventory your data regularly to make sure you aren’t keeping data you don’t need.

GDPR gives your customers more rights over their personal data. You should be familiar with these rights and disclose them to your customers in your privacy policy.  Read more about your customer’s data rights here.

People can make legally binding requests based on these rights, and you must respond to them promptly. Usually, you should respond to data requests (also called DSRs, or DSARs), within 30 days. Make sure you have a plan in place to respond to data rights requests on time.

Besides avoiding fines, there is a more important reason to respond to these requests promptly. Customer satisfaction. Really, being ready and willing to provide people with information about their data when they ask for it is just good customer service.

GDPR requires you to implement appropriate technical and organizational measures to protect customer data. technical and organizational measures to protect customer data from unauthorized access, loss, destruction, or alteration.

Use strong passwords, encryption, and access controls. Perform regular data backups. Educate your employees about how to protect their devices and the data on them. Don’t forget to protect paper copies and notes with people’s personal information on them.

GDPR allows each EU member state to establish its own supervisory authority. Usually, these authorities are called data protection agencies. Your local data protection agency is responsible for enforcing and overseeing GDPR compliance. As such, they have the power to investigate breaches, issue fines, and provide guidance about data protection.

Find out who your local data protection agency is and provide their contact info to your customers. This lets your customers know you take responsibility for protecting their privacy and their data.

If your company were to suffer an incident that poses a risk to your customers’ rights and freedoms, report it. Have systems in place to help you identify any unauthorized access, disclosure, or loss of personal data quickly.

When one of these incidents occurs, first, assess the situation to see if it poses a risk to people’s privacy, rights, and reputation. If you find that it does, notify the supervisory authority promptly, without undue delay. Generally, you should report a breach within 72 hours of becoming aware of the incident. Include details about the breach, its impact, and any remedial actions taken or planned. The DPA will assess the breach and may provide guidance or request further information.

You may also need to notify affected individuals affected and affected individuals. This notification should describe the nature of the breach, the types of data affected, potential consequences, and recommended measures they can take to protect themselves.

Finally, maintain records of all data breaches, including the details of the breach, the actions taken, and any communication with the authorities and affected individuals. These records demonstrate compliance with reporting obligations in case of a regulatory audit or investigation.

If you use any third-party service providers to process customer data for you, GDPR requires you to draft a Data Processing Agreement (DPA). Basically, this is a contract that outlines the responsibilities and obligations of each party to ensure GDPR compliance.

GDPR has special requirements for transferring customer data outside of the EU (cross-border transfers). Keep this in mind when communicating with overseas business partners, like suppliers, manufacturers, or distributors about a customer.

But before sending customer data to overseas partners, first consider whether they really need that data to do their jobs. And as always, if you don’t need to share personal data, don’t share it.

As an example, suppose a florist in Europe works with suppliers abroad to import tropical flowers for a wedding. When communicating about the order, they are careful not to copy or forward customer requests/chats/order forms that may include that person’s personal information. They take the time to check anything they share for personal information, then redact or omit it. In this way, they avoid sending any of their customer’s data out of the country.

Of course, this is always the best policy: Share customer data only on a need-to-know basis. However, this is even more important when deciding whether to share data with someone in another country outside the EU.

If you do need to send customer data to another country, we recommend you do the following to be sure the transfer meets GDPR requirements:

1. Check if the country has an adequacy decision with the EU. If so, you can treat it like an EU transfer; if not,
2. Use Standard Contractual Clauses; or,
3. Transfer only to companies with Binding Corporate Rules (BCRs); or in some other way,
4. Get the data importer to make a binding and enforceable commitment to apply appropriate safeguards to protect the data; or,
5. Get explicit consent from the person to share their data overseas.

Without consent, the transfer must be necessary for the performance of a contract, for the person’s vital interests, or for the establishment, exercise, or defense of legal claims. Additionally, you may be allowed to perform occasional transfers. They must not be repetitive and may only concern a small number of individuals.