How to Navigate GDPR Regulations

Every country has its own consumer data protection laws. However, the EU General Data Protection Regulation (GDPR) is more thorough and all-encompassing than almost any other set of data protection laws. Hence, if you comply with the GDPR, you’ll be compliant in almost any other country.

Also, fines for violating the GDPR max out at 20 million Euros or up to 4% of a company’s global turnover for the previous fiscal year. So, complying with the GDPR is certainly a smart financial move.

The good news is that you can maintain GDPR compliance by taking a handful of steps, which won’t have much — if any — negative impact on your business operations.

What information is protected under the GDPR?

In short, everything.

Any data that could be considered personal data falls under the GDPR. This includes email addresses, phone numbers, names, physical addresses, and even IP addresses.

It’s best to assume that any and all customer information you have is subject to GDPR oversight.

How to maintain GDPR compliance

Following the GDPR boils down to three primary things: opt-ins, opt-outs and personal data management.

Get consent

Under the GDPR, you must get consent to contact customers through any communication channel. This includes SMS, email, direct mail, phone calls, and any other communication media.

The easiest way to do this is through automated opt-ins. Whenever a customer asks you to contact them — whether that’s by subscribing to your email list or signing up for text alerts — you should include an opt-in checkbox or form that gets the consumer’s permission to collect, store, and use the necessary contact information.

And since IP addresses and other digital footprints are protected under the GDPR, you should use pop-up software to add a popup to your website that gets permission to use cookies for analytics tracking.

Also, if your company has multiple distinct branches that provide unrelated products or services, you need to get consent to contact them about each product or service.

For example, General Electric makes light bulbs and military weapon systems. Customers that have given consent to receive emails about light bulbs have not given consent to receive emails about military-grade weapons, even though they’re both produced by the same company.

Lastly — and it should go without saying — but if a customer does not give you permission to contact them, DO NOT contact them.

Always include opt-out information

The GDPR also requires that you give customers a way to revoke consent to contact and that you always honor opt-out requests.

That means that you must always include an unsubscribe link in your emails, instructions for how to stop further messages in your SMS communications, and a way for customers to get you to stop calling them.

In essence, you need to make it clear to customers how to ask you to stop contacting them, and you must honor any requests to cease contact. Additionally, is best to discard any stored information you have about a customer if they ask you to stop contacting them. This is part of the third part of GDPR compliance: data management.

Customer data management

First, you may not share customer data with other companies or third parties without first obtaining consent from the customer. Additionally, you must keep customer information secure whenever you store, use or transmit that information.

Technically, the GDPR does not explicitly say that you must encrypt customer data. However, it repeatedly mentions encryption and specifies that you must implement “appropriate technical and organizational measures” to protect customer data. When it comes to digitally storing and transmitting information, encryption is certainly an appropriate technical measure.

Keeping your own databases secure is one thing. But, transmitting data is a separate challenge, since you must often send data through external networks.

The best way to ensure that you’re taking appropriate technical measures to keep customer data safe, even when you’re transmitting it through external networks, is to work with data providers that can encrypt your data from end to end.

Telecom carriers that operate their own private networks, like Telnyx, can guarantee that your data is always encrypted because they keep your data on their own network, rather than sending it through third-party operator networks or the public internet.

Encryption is pretty much standard these days. So, evaluate your data providers and cloud communications carriers and work with companies that can encrypt your data whenever it’s on their network.

That way, you’ll never have to worry that your company might be accused of failing to take appropriate technical measures to keep customer data safe.

The GDPR is thorough. But if you follow the essential steps, you won’t run afoul of the rules. As a bonus, you’ll be more than compliant with data protection laws in most countries outside the EU.

And if you need SMS and voice calls connected through an encrypted network, get programmable SMS and voice calling from Telnyx, and keep all your data on a private, global network with end-to-end encryption.