GDPR Protection

How to make your email & website GDPR compliant

Are you marketing to EU consumers, enterprises, and SMBs? Thinking of sending bulk emails to Europeans? Whether you are a business entity established within the EU or outside of Europe, the regulator can enforce GDPR laws under the grounds of your business entity controlling the storage server and processing data or facilitating data processing from European consumers and/or companies.

What is an incidence of GDPR violation? 

Being the mind and management of a company, business owners and employees should be mindful about the data source and how data is handled. For example, where obtain these email lists are obtained? Are they purchased list or opt-ins?

Opt-ins means direct consent from the customer or employee in a company. If a customer never requested to receive email communication from Company Widget, Company Widget is in violation of the GDPR law. European customers care about their privacy and consumer protection rights, so they are likely to report GDPR violation to the regulators.

Some customers will unsubscribe, keeping their emails and personal data on your server automatically constitutes a GDPR violation. To be compliant, you should immediately remove their email contact from your server and stop any related email marketing campaign communications.

How to be GDPR compliant?

The GDPR is a data protection law applied in the European Union, outlining mandatory measures to obtain consent to data collection from EU citizens browsing on your web page. This new law was enforced as of May 25, 2018.

What visitors see on a GDPR compliant website:
  1. Request consent from users to access and collect data
  2. Track visitors’ browsing activity with cookies
  3. Visitors can select an option to disable cookie. So they have the right to be forgotten.

Compliance to data privacy laws is mandatory. In accordance to Article 83 in the regulations, fines can be levied up to 20 million Euros or 4% of the fiscal revenue in more severe data breach cases, whichever amount is higher.

Criteria for GDPR compliance

To be GDPR compliant, a company should have a full disclosure on in privacy policy in plain English. (In addition, to the cookies consent and permissions form):

  • What information they collect
  • How they safeguard personal data
  • What they do with personal data after they collect
  • The legal basis of processing their personal data
  • When and how they share personal data with others
  • How long they keep the users’ personal data
  • Enable users to set their preferences on data collection

This will allow all EU citizens to understand how their data is collected and handled. And to what extent they are granting your company access to their private data.

GDPR Data Breach Cases

The DSK Bank (Bulgarian unit of the OTP Group) was fined 1 million Lev in August 28, 2019 for a data breach involving over 33,000 client accounts which have taken bank loans. Information regarding personal identities of both borrowers and loan guarantors such as: full names, addresses, ID cards, property deed data were inappropriately leaked to third parties from the bank. The DSK Bank conducted an internal checks showing that bank system was not hacked, and data breach occurred through other illegal means.

Unicredit Romania received a fine of EUR 130,000 in July 4, 2019, until the bank was sanctioned until remediation measures was enacted. This penalty was imposed to Unicredit Bank S.A. as a result of negligence in implementing personal data protection principles, as well, as safeguarding data processing procedures, to meet the GDPR Requirements and protect the rights of the data subjects.

OTP Group of Hungary received HUF 55 million fine in July 21, 2016 due to deficiencies in IT securities, credit evaluation and data provision errors. OTP Bank agreed to cooperate with the National Bank Of Hungary (MNB)’s comprehensive review and oversight authorities to carryout remediation measures prior to the deadline assigned by MNB.

*** There is no exemption in GDPR compliance whether you have fewer than 250 employees or more than 250 employees. The GDPR is mandatory for companies that are involved in transacting, and handling data with European clients. All organizations must understand the bigger picture of their IT infrastructure and secure all applications in their estates. If you have 250 or more employees, it’s important to hire a DPO (Data Protection Officer) to take care of PII protection, without conflict of interest. ***

Consequence of GDPR non-compliant

Depending on the category of violation, companies can be fined up to €10 million, or 2% of annual global turnover. The regulator will elect an amount whichever is greater; or. Up to €20 million, or 4% of annual global turnover – whichever is greater.

Fines of up to €10 million or 2% of annual global turnover can be issued for infringements of articles:

  • 8 (conditions for children’s consent);
  • 11 (processing that doesn’t require identification);
  • 25–39 (general obligations of processors and controllers);
  • 42 (certification);
  • 43 (certification bodies)

Fines of up to €20 million or 4% of annual global turnover can be issued for infringements of articles:

  • 5 (data processing principles);
  • 6 (lawfulness of processing);
  • 7 (conditions for consent);
  • 9 (processing of special categories of data);
  • 12–22 (data subjects’ rights);
  • 44–49 (data transfers to third countries or international organisations)