Beginning on May 25, the European Union (EU) will begin to enforce the General Data Protection Regulation, a data protection law with the goal of protecting private or personal data belonging to EU citizens.
The enactment of the law will have far-reaching implications for businesses worldwide, even if those businesses don’t operate within the boundaries of the EU. That means your business, including and especially your marketing and advertising efforts, may be impacted.
Below, we’ve listed a handful of frequently asked questions that should help you to better understand what GDPR is and why compliance with GDPR is important for your business, even if you don’t operate in the EU.
What is the GDPR?
The General Data Protection Regulation (GDPR) was adopted on April 27, 2016, as a measure to replace the 1995 Data Protection Directive, which was a measure that aimed to protect the personal data of residents of the European Union. The 1995 directive was broadly meant to protect any information that could be traced or attributed directly to an “identifiable natural person” or “data subject.” Examples of such data could be an address (physical or virtual), credit card number, photo/video, password or medical record, all of which citizens of Europe would prefer to keep private.
The 1995 DPD prohibits the processing of such data unless certain criteria are met. For the sake of brevity, we won’t dive into those criteria here but suffice it to say the GDPR has more stringent requirements and protections than DPD.
Here’s the part that’s relevant to non-EU based businesses: The GDPR has a much wider reaching scope than the DPD, meaning that it applies to businesses who market their products to people in the EU or who monitor the behavior of people in the EU. Translation: If you have customers or marketing prospects in the EU, the GDPR applies to you.
What are some key GDPR phrases I should know?
- Data Processor – An outside agency, cloud provider or service provider acting on your behalf with access to personal data of a customer or employee.
- Data Controller – Don’t think of this as a person. Data Controller in this context refers to an organization that collects, retains and processes personal data.
- Data Protection Officer (DPO) – The point person for GDPR compliance, this person would typically work closely with marketing, sales and IT at a company.
When does GDPR take effect?
GDPR will begin to be enforceable on May 25, 2018, superseding the 1995 Data Protection Directive. That means we are less than two months away from the directive taking effect.
What are the major changes affiliated with GDPR?
Range of enforcement and consent are the two big changes associated with the GDPR, but the law also creates roles to help enforce it, including the appointment of a Data Protection Officer to oversee the increased obligations for Data Controllers and Processors.
The consent piece of this is particularly relevant for anyone engaging in digital marketing or advertising. The GDPR requires that consent to use data be “freely given, specific, informed and unambiguous,” with controllers using “clear and plain” legal language that is “clearly distinguishable from other matters.” It also requires that consent be an affirmative action, meaning no more assuming or inferring consent from other actions or from inaction. In marketing terms, everyone needs to opt-in vs. just not opting out.
Sites that involve user-generated content should provide for each users’ “right to be forgotten.” For example, you should provide a way for users to delete their own account and possibly delete their content.
How will businesses be affected by GDPR?
Beginning May 25, business operating in or serving customers in the EU must appoint a Data Protection Officer (DPO) to serve as the point person for GDPR compliance and liability. If you work with clients abroad, it’s in your best interest to hire or identify that person within your organization immediately.
Businesses will also have to notify consumers of data breaches more quickly (within 72 hours), and parental consent will be required for children up to age 16.
Additionally, and perhaps most importantly for businesses, the fines associated with GDPR breaches are increasing. Businesses in conflict with GDPR may be fined as much as 4% of their annual global revenue or 20 million Euros, whichever is higher, for their infractions.
If your business doesn’t operate in or serve customers within the European Union, the situation is messier. It’ll be tough to know how GDPR will be enforced within American (or Pacific, African or Asian) countries until the directive has been in effect for some time, but nevertheless, it’s wise for business owners to act as though the same rules and regulations will be enforced globally. Keep in mind that EU citizens have to access your site, and the law applies to any personal data (name, location, email address, etc.) collected from them.
What can you do to prepare?
Hire a Data Protection Officer – Although the GDPR doesn’t expressly mandate that companies hire a DPO, it does require that data controllers and data processors be responsible for GDPR compliance. If your marketers, salespeople or databases are already burdened, it may be wise to go find that person to be a DPO.
Make it a priority for everyone – Implementing GDPR compliance can’t be done in a vacuum because personal data reaches into every corner of your business. Someone from each line of business should have a seat at the GDPR table.
Identify places where personal data is stored and how it’s processed – Questions that should be considered include:
- What data is being collected?
- Where is the data being sourced from?
- Why is the data being collected?
- How is the data processed?
- Who has access to the data?
- How long is the data retained for?
- Where is the data being transferred to or used?
Work with partners that are GDPR-compliant – While there are a number of consent verification providers that could serve as valuable allies in your brand’s quest to become GDPR compliant, your search shouldn’t end there. You want to be certain that your CRM, marketing and/or PR partners are also compliant because you can be held accountable for breaches made by data processors that you work with. Conduct a Data Privacy Impact Assessment (DPIA) before making any final decisions.
Update your policies and notices – It’s important that your current policies and notices around personal information will be fully GDPR compliant, so be sure to get these updated before May 25 and to share them with staff and customers alike.
Need a Data Privacy Impact Assessment? Reach out to Raka today.