Beginner's Guide

Data usage can lead to hefty fines if you are not compliant
Jaimi Koechel, Henry+Horne

What is Data Compliance?

Data compliance ensures you are following the regulation requirements that are put in place by governments to protect personal data. Every day our personal data is being gathered and stored, and every time you go online you are leaving a footprint of data for companies to collect. Companies are collecting this data and using it to their benefit to market to you. They are collecting data from the websites you use, the calls you make, the places you visit and the photos you take. They will use this information to communicate to you and influence your buying decision, or even sell your information to other companies.

The most recent, and notable, data compliance regulations that have been put in place are the GDPR and CCPA and these are affecting the accounting industry.


What is GDPR and CCPA?

The General Data Protection Regime, also known as GDPR, is regulations put into place by the European Union (EU) to protect your personal privacy. Effective May 25, 2018, your firm has been required to follow the GDPR regulations if you: 

  • Do business in Europe;
  • Store or process personal information of European citizens or residents; or
  • Provide services to those companies.

If your firm is a non-EU company and you process personal data of EU residents, you might need to appoint a GDPR representative for your firm. The EU requires this to increase the chances for data protection. However, there are many rules to this, and your firm could not qualify as being required to appoint a GDPR representative. I would suggest you investigate to determine if your firm requires a representative. 

If you have a website that collects personal data from your website users, you need to comply if you collect information from a European citizen or resident. Make sure you get consent to collect the user’s personal data. You need to let the user know why you are collecting the data, how it’s being used, and you cannot change how you use the data later. The user also has a right to know if there was a breach in their data at any time. Is your firm setup with the processes and tools in place to communicate to individuals if their data has been compromised?

The California Consumer Privacy Act (CCPA) was signed into law in June 2018, and only applies to California residents and those operating in California. It’s important to stay informed of the CCPA so that when it does apply to your state you are ready to be compliant. This law applies to:

 Companies that deal in consumer data related to California customers; and

  • Companies that employ California residents, either as full-time employees or independent contractors.

Even if you don’t live or operate in California, you might want to consider adopting the privacy act, because I am sure the law will make its way across the country. It will probably take a significant amount of investment to get the procedures in place, so it’s best to get started sooner rather than later to avoid any possible fines. You will need to figure out a consent to opt-in process in order to be compliant. If you are offering e-books or white papers on your website in exchange for personal information, you will need a process in place to get the users consent to store and use their data. In order to be proactive your firm needs to start building data privacy compliance into its everyday practice.


What can happen if you don’t comply?

If you don’t understand data compliance and abide by the law, you could be hit with some hefty fines! You don’t want to violate the data privacy rights of EU citizens because the EU is very comfortable with handing out fines to those organizations that don’t comply. Your firm could face fines of up to 4% of worldwide sales or up to $20.4 million, whichever is greater.

If you do not comply with CCPA, the California State law allows the California Consumer Privacy Act to bring civil penalties of up to $7,500 for each intentional violation and $2,500 for all other violations. California is still determining what’s considered intentional and what’s considered all other violations, and this will be figured out within the next few years.


How it affects you?

As a marketer, you need to get permission to use the data, give access to the data and only collect data that is needed in order to be compliant.

Get permission. Make sure you have processes in place to get email opt-ins from everyone you send an e-blast to. This is key because you must confirm the individual chose to receive your emails, so you can’t have the box automatically checked as a default anymore. Also, how are you going to manage the opt-ins?

Give access. As a marketer, it will be your responsibility to make sure that all individuals can access their data and remove themselves from your database. This can be as easy as having an unsubscribe link in every e-blast you send out.

Only collect data that is needed. Make sure you are not collecting too much information from users. You can only collect the information you need. Do you really need to know your user’s favorite animal before they download your e-book?

When it comes to data compliance, there is a lot of information out there and it can be confusing to wrap your head around. Make sure you get educated and stay focused on getting your policies and procedures in place so that your firm doesn’t end up with hefty fines.