General Data Protection Regulation: What You Need to Know

By Melissa Duko, January 24, 2018

The General Data Protection Regulation (GDPR) is nothing new. It’s been in the works since 2016 when the European Union (EU) drafted legislation to regulate consumer privacy. But for U.S. companies, the deadline to get on board is fast approaching. They have until May 25, 2018 to update their current policies and ensure compliance.  

So, what does this mean for your business? Here’s what you need to know.  

What Is GDPR

GDPR is user data protection for EU citizens. It regulates the collection and usage of personal data belonging to a living, identifiable person. To be considered an identifiable person, it requires these factors: name, photo, email address, bank details, social media posts, medical information, computer data (e.g. location data, IP address, cookie data, and RFID tags).

Related Post: 5 Digital Marketing Compliance Rules You Need to Know

Under GDPR, all companies are legally required to handle consumer data carefully as well as provide their consumers with the tools to control, monitor, and delete any personal information that they want. Should a breach occur, businesses have to alert consumers within 72 hours of any breaches.

Who GDPR Affects

Here’s who will be affected by GDPR. They include:  

Businesses. Since GDPR offers EU citizens protection no matter where their data travels, it affects how all businesses globally handle consumer privacy. For example, if you are a U.S. based business that’s accessible to citizens in the EU, you need to follow GDPR guidelines, too.

And it’s not just data protection businesses need to worry about. If a business uses a hard-copy form that’s accessible/processed by an automated system, that also falls under GDPR. And companies can no longer provide free WiFi to consumers in exchange for their browsing data. Unless, customers affirmatively agree to share data, which isn’t easy to get permission from transient customers.

No Free WiFi.jpg


Data Management Platforms. Depending on how they define themselves, Data Management Platforms will also be affected. If they are defined as a data processor, that means they process third-party data through cookies for lookalike targeting. In this scenario, consent isn’t needed to use cookies, so they’ll be exempt from GDPR. However, if DMPs define themselves as a data controller, they will have to follow the rules of GDPR. It’s important to note, it’s hard to track consent when it’s a third-party relationship.

Related Post: Supply Side and Demand Side: What You Need to Know

Marketers. Some marketers who handle brands’ data strategies think it’s likely they’ll need to go back to old school methods like proxies and building probabilistic models to leverage data since there are a lot of technologies that you can’t do in Europe. However, they don’t feel that’s necessarily a bad thing.

Media Companies. Depending on their business model, media companies can be impacted. Data brokers like Experian will need to revise their processes for collecting and selling user data. And the impact on social networks like Facebook remains to be seen.

Consumers. The biggest winners of the GDPR are consumers. They’ll get enhanced personal data protection, improved access to their data, and the ability to opt-out.  

Consequences For Violating GDPR

Violate GDPR and be prepared to face the consequences, which are steep. Fines fall into two classifications: less severe breaches and more severe breaches.

Related Post: Copyright Infringement: Are You Allowed to Use That Image?

For less severe breaches, the maximum fine is $10 million or 2% of the company’s annual revenue, whichever is greater. If it’s a more severe breach, the maximum fine is $20 million or 4% of the company’s annual revenue, whichever is greater.

What You Need to Do to Be Compliant

So, the million dollar question (literally), what do you need to do to be compliant? Make sure you:

Get Clear Consent. Clearly and specifically request consent using plain English before collecting, storing, or using their personal data. At this time, it’s not known if “double-opt-in” will become mandatory. But it can’t hurt to employ the two-step mechanism where a person must confirm their email address after initially signing up.

Allow Individual to Withdraw Consent and “Be Forgotten.” Every individual under the GDPR has the right to withdraw consent and to “be forgotten” (e.g. have their personal data securely and completely deleted). When a person requests this, deletion must be done immediately.

Review Your Privacy Policy and Contracts. Make sure they’re easy to understand and clearly spell out what data is being collected and for what purposes.


Source: Memecrunch

Have a Plan in Place for a Data Breach. In the event that personal data is breached, you must alert the affected individuals within 72 hours. Have a plan in place for handling the breach, which also needs to include a crisis communication component.

Create New Positions. Some brands are creating new positions like “Data Privacy Officer,” specifically to address and handle GDPR. If it makes sense for your brand, go for it.

Use a Data Center That’s GDPR Compliant. Make sure the Data Center that’s hosting your server is GDPR compliant. Compliant centers include Amazon (AWS), Verizon Terremark, Datapipe, etc.

HubSpot also has a handy GDPR Compliance Checklist, too. As technology continues to evolve, it’s likely GDPR will adapt with it. But so long as you’re doing everything you can to be compliant now, you’ll have nothing to worry about.

New Call-to-action

Melissa Duko

Melissa Duko

Melissa Duko is the Senior Editor and Digital Specialist for Anura. She brings to her role more than a decade of journalism and editing experience. A graduate of the University of Delaware, she holds a Bachelor of Arts in English, concentration business and technical writing, minor Art History. She also has a Master of Science in professional writing for the public and private sector from Towson University. She isn’t afraid to admit that her love for Starbucks is at gold member status. (Since 2011!) More Articles by Melissa Duko