GDPR & QSR Automations
As a marketer, data is the first and most important component of a campaign I consider. Data drives all of our marketing efforts. It’s important to know who we’re marketing to, and why. What are we marketing to users and how will it help solve their challenges? Does it make sense for what they are trying to accomplish? If we don’t have data, we won’t know the answers to these questions and out goes the opportunity to execute on “targeted marketing campaigns” that appeal to potential customers’ interest. Now, enters the General Data Protection Regulation (GDPR).
If you’re not familiar with what the GDPR is, you’re not alone. According to a recent survey done by HubSpot, 39% of U.K. consumers are unfamiliar with the GDPR and 64% of U.S. consumers are unfamiliar with it. The GDPR was approved back on April 14, 2016 and will replace the Data Protection Directive. The GDPR is a regulation in EU law on data protection and privacy for all individuals in the EU. QSR Automations takes each and every individual’s data and privacy seriously.
We have collaborated with CompliancePoint, a third-party consulting firm, to conduct a risk assessment and determine how we are currently handling personal data, as well as provide guidelines and expertise on how to ensure we are compliant for the deadline.
Q&A with Matthew
Why does the GDPR exist?
The GDPR exists because privacy is fundamental in the EU, and the GDPR sets out to provide clear and concise rights and protections to people in the EU and provides obligations that organizations must meet. Further, with 28-member states, it was extremely difficult for organizations to comply with the myriad of regulations and requirements from each Member State. The GDPR, unlike the Data Protection Directive currently in place, is a regulation and must be implemented by each member state, making it easier on organizations to know their obligations and comply with the requirements.
When does it go into effect?
The new European Union General Data Protection Regulation (GDPR) will be going into effect May 25, 2018. The ultimate goal of the GDPR is to provide more protection over the personal data of people in the EU.
What type of data does the GDPR protect?
The GDPR covers personal data of EU natural persons. Personal data is anything that can directly or indirectly identify a person in the EU. Direct identifiers like name or address are straightforward but something organizations must wrap their mind around is the indirect aspect and how it applies to their organization’s data environment. For example, things like cookie identifiers or a customer identification number may be considered personal data under this regulation.
How will the GDPR affect QSR’s end users, customers, diners and other individuals we interact with?
Depending on the lawful basis of processing it could impact the types of communications they receive, when they receive information, and even website experience based on some cookie usage requirements. While some of the requirements are difficult, overall the regulation is requiring organizations to rethink how they process personal data and their overall personal data hygiene.
While the process of defining whether an organization is compliant or not is challenging, is the process for becoming compliant challenging?
We are transparent with organizations that as of today, there is not a certifying body that will award a GDPR compliant seal. This regulation is about accountability and an organization’s ability to demonstrate due diligence in compliance. Given the ambiguity surrounding some of the articles and the fact that it’s not effective and therefore no commentary from the regulators exists, it’s challenging to be 100% on all things GDPR.
We are a US-based company, why do we still need to be concerned about the GDPR?
The GDPR applies to organizations that have a presence in the EU or where that doesn’t exist any organization offering goods or services in the EU or monitoring the behavior of those in the EU. It has a large reach and the regulators expect that if it applies, you comply, regardless of location.
What happens if we do not meet all of the requirements of the GDPR by May 25, 2018?
There are rumors that because it’s on a Friday, there is a 2-day extension for organizations to get prepared. In all seriousness, May 25 is the effective date and while we do not expect an enforcement on that date, the regulators expect that organizations have spent the last two years preparing and will be capable of complying with the regulation. We believe regulators will be focused on data subject complaints surrounding access requests, unlawful process, and breaches.
Is there anything else we should share with our peers about the GDPR?
QSR Automations is aware of its obligations under this regulation and making strides towards ensuring it can fulfill its obligations as a processor and making sure it’s controller clients are comfortable as well as its obligations as a controller where applicable.
Additional Questions & Answers from QSR Automations
Why should you, our customer or industry peer, care about the GDPR?
Data. Data is everywhere and whether you know it or not, it’s being collected, which has created this need to protect it. Privacy is the utmost importance for most individuals and as a restaurant operator or restaurant industry vendor, we must all take people’s right and need for privacy seriously.
What is QSR Automations doing to ensure that consumer’s data is protected?
About the Author
Amber Mullaney provides and guides all things marketing for QSR. A proud Texan native, she graduated from the University of Houston with a degree in Public Relations and spent her career in the healthcare industry before making the switch to QSR, saying she loves a good challenge. Amber has a long list of things she loves, including tacos (especially tacos), sweet tea, Texas, the outdoors, and traveling with her husband and two daughters.