The General Data Protection Regulation, known as GDPR, is the European Union’s (EU) privacy regulations will take effect May 25th.
This legislature is significant in that it is some of the broadest restrictions on how businesses protect individual’s data—both keeping data private and secure from breaches, in addition to increased measures of how businesses will be held accountable.
The EU is instituting GDPR to protect the data and privacy of anyone living in the EU (citizen or not). It doesn’t protect EU citizens living outside of the EU.
Since several of our clients have asked about GDPR, I thought I’d walk through some of the basics in case you either work within the EU or handle data relating to EU citizens. Here are some of the top headlines from the EU’s GDPR legislation:
Opt-in email consent needs to be unambiguous—your company cannot make opt-in consent tied to other offers or action items. Many marketing departments would love to get email addresses from all of their clients—say when they make a purchase—and send out promotions to those clients when they have special offers. Often, websites will have default setting to opt-in to various marketing materials when a person subscribes to a specific task or makes a purchase. After May 25th, those types of actions will be in violation of GDPR. You must clearly state how data will be used when it is collected and not link two actions as one (like an email request with a purchase).
Requests to access, change, or delete personal data—probably one of the biggest changes with the new legislation is the right for EU residents to change, access, or delete their personal data from a business’ database. EU residents can also request that companies stop using their data for marketing, profiling, targeting or personalization. This new regulation will likely make companies that interact or engage with EU residents rethink their marketing and client engagement efforts, specifically around how they store, collect and use individual’s data.
Currently, most businesses do not have adequate controls in place to even comply to an individual request to delete, assess, or change personal information.
Consent to using personal data must be simple—an individual’s withdrawal of consent for a business to use an individual’s information must be simple, accessible and transparent. The opt-out process must be as easy as opting in. Many current websites do not have easy ways for users to withdraw from programs. This will have to change in order to comply with GDPR.
Fully documented data privacy and protection—your business will be required to publish completely documented descriptions of how you protect individual’s data and keep that data private. That includes making sure any third party vendors or affiliates that may modify the data are included (with detailed descriptions of the measures they take to protect individual’s data protections).
If your business will need to comply with GDPR, this may be a good discussion to bring up with your Business Technology Manager (or your IT Support team) to ensure that all of your ducks are in a row.
The big question most are curious about: Does GDPR impact US businesses?
The answer is YES!
If you’re not familiar with GDPR yet, you’re certainly not alone. Most US-based companies have not paid any attention to this massively complex set of regulations—not even the fact that businesses in the US may be held responsible to GDPR even if they are not incorporated in the EU.
Here are a couple of things to pay attention to:
Any company that has EU resident data is affected by GDPR—any company that stores EU resident data in their systems will be required to meet data standards laid out in GDPR. This includes selling products and services to EU residents, monitoring behaviors or collecting, storing or transmitting data on EU residents.
Bottom line: if your company handles personal data of EU residents, you must follow GDPR.
You may have to fork over BIG bucks if found in violation of GDPR—if you fail to follow the rules, you may face big fines. Effective May 25 (THIS week), GDPR regulations will start handing down penalties—anywhere between 2-4 percent of a companies’ revenue from the prior year. According to most experts, if you do fall under GDPR, you may risk having to face immediate fines.
Should you worry about GDPR? While most businesses likely will not have to comply with GDPR, you probably should check with your legal counsel to make sure that is the case. And, as always, if you have any questions relating to your data storage, maintenance, curation and security, feel free to ask us.
