Outsourcing is something that virtually every business does to save money. In the digital age, so much of what is moved abroad is information. That way companies can stay competitive while paying less for the services they rely on. With the EU GDPR coming into force from May 25th, 2018 it’s time we took a closer look. To say it’s going to change things is an understatement.
What is the EU GDPR?
The European Union (EU) General Data Protection Regulation (GDPR) is a newly devised privacy regulation that affects how information is handled. It has been common practice for years for businesses to outsource specific services to trusted third parties. A significant part of this is in the form of information services, which results in large amounts of data leaving the EU. From May 25th businesses will find it increasingly difficult to do this due to the new GDPR. But why is it happening?
Why is it Happening?
The GDPR is in part a reaction by legislators to the growing demands by individuals to know what’s happening to their data. With large security breaches often reported in the media, it’s never been more of an issue than right now. The hope is that it will make businesses think harder about how they handle customer data. The obvious question that presents itself is: what constitutes personal data?
What is Personal Data?
The GDPR directive is quite clear and prescriptive on what personal data is. In short, it constitutes any and all data related to an individual. That includes photographs, email addresses, financial details, IP addresses, and medical information. Interestingly given the recent events involving Facebook, it also includes social media posts and location details. It’s certainly a comprehensive list and one that every business needs to familiarize itself with.
What About Employee Data?
One of the far-reaching things about the new directive is that it treats everyone as an individual. Whether or not the data relates to someone on work time or is of private nature, it’s still linked to the individual. That removes any grey area over whether data obtained through someone’s job is personal data: it always is.
What Powers are in Place?
From May 25th every business will have to ask permission if they intend to move data outside the EU. The consent can only be granted by the individual customer, which the directive plans to make the cornerstone of its approach. Due to the costly and time-consuming nature of asking every single customer, this is clearly impractical. It is expected that widespread outsourcing to India, the Philippines, and Vietnam will cease overnight. If not then fines of up to 4% of annual revenue can be applied.
How is Customer Consent Granted?
Until now businesses have been able to act first and then add disclaimers to cover consent later. It’s been enough to add opt-outs that are sent with marketing materials and assume customers will leave if they want to. What the GDPR does is change all of this. Businesses will have to show they’ve been granted consent for each action. There will be no blanket coverage and no retroactive granting of opt-outs. Customers will also have the right to withdraw their consent at any time. Clearly, a lot more data will stay in the EU.
What New Rights Will Customers Have?
Customers will now have the right to access their personal data free of charge. Businesses will be obliged to provide an electronic copy and explain how they’ve been using it. In addition, there will be the right to have personal data deleted should a customer wish to end their relationship. Along with this customers will have the right to move their data across platforms easily. That provides more freedom to choose a new provider and puts power back into the hands of the individual.
How Can Customers Exercise Their Rights?
Should a customer wish, the processing of their data to cease, the company is obliged to do so immediately. The same applies when a request is made to amend incorrect or out of date data. Perhaps most pressingly in the current climate; businesses have 72 hours to inform all parties of data breaches. This is designed to put a stop to large-scale breaches like at Yahoo that went unreported for years.
The Effect on Businesses
Rather than being an IT technicality, the GDPR is a far-reaching directive every business needs to understand. It will impact on marketing and sales activities for businesses of all sizes. Businesses can no longer harvest email addresses and use them how they want. There will be restrictions on selling information to other companies, and the customer will have ownership of their data. Even if you purchase a marketing list from another company, you take on the responsibility for ensuring compliance with GDPR.
Even something as simple as adding customer information to a central database after a trade-show will change. The far-reaching nature of the directive ensures that there are no loopholes or grey areas. Data linked to an individual is always personal; whether it was gathered on work time or not. It can no longer be sold on our outsourced with presumed consent. This makes it a compelling piece of legislation that no business can afford to take lightly.
The Outlook for the Outsourcing Industry
With a whole raft of new restrictions in place, it is anticipated that outsourcing outside of the EU will become impractical. That could create a burgeoning industry within the EU. Or it may see businesses take on more of the work in-house to ensure strict compliance. It is clear that in 2018 the emphasis will be on providing transparency and accountability with personal data.
This is set to take a significant amount of power away from big business and put it back in the hands of the consumer. The fallout of this could well be a dramatic shrinkage in the size of the outsourcing industry.