The General Data Protection Regulation (GDPR) is nothing new. It’s been in the works since 2016 when the European Union (EU) drafted legislation to regulate consumer privacy. But for U.S. companies, the deadline to get on board is fast approaching. They have until May 25, 2018 to update their current policies and ensure compliance.
So, what does this mean for your business? Here’s what you need to know.
What Is GDPR
GDPR is user data protection for EU citizens. It regulates the collection and usage of personal data belonging to a living, identifiable person. To be considered an identifiable person, it requires these factors: name, photo, email address, bank details, social media posts, medical information, computer data (e.g. location data, IP address, cookie data, and RFID tags).
Related Post: 5 Digital Marketing Compliance Rules You Need to Know
Under GDPR, all companies are legally required to handle consumer data carefully as well as provide their consumers with the tools to control, monitor, and delete any personal information that they want. Should a breach occur, businesses have to alert consumers within 72 hours of any breaches.
Who GDPR Affects
Here’s who will be affected by GDPR. They include:
Businesses. Since GDPR offers EU citizens protection no matter where their data travels, it affects how all businesses globally handle consumer privacy. For example, if you are a U.S. based business that’s accessible to citizens in the EU, you need to follow GDPR guidelines, too.
And it’s not just data protection businesses need to worry about. If a business uses a hard-copy form that’s accessible/processed by an automated system, that also falls under GDPR. And companies can no longer provide free WiFi to consumers in exchange for their browsing data. Unless, customers affirmatively agree to share data, which isn’t easy to get permission from transient customers.
Related Post: Supply Side and Demand Side: What You Need to Know
Marketers. Some marketers who handle brands’ data strategies think it’s likely they’ll need to go back to old school methods like proxies and building probabilistic models to leverage data since there are a lot of technologies that you can’t do in Europe. However, they don’t feel that’s necessarily a bad thing.
Media Companies. Depending on their business model, media companies can be impacted. Data brokers like Experian will need to revise their processes for collecting and selling user data. And the impact on social networks like Facebook remains to be seen.
Consumers. The biggest winners of the GDPR are consumers. They’ll get enhanced personal data protection, improved access to their data, and the ability to opt-out.
Consequences For Violating GDPR
Violate GDPR and be prepared to face the consequences, which are steep. Fines fall into two classifications: less severe breaches and more severe breaches.
For less severe breaches, the maximum fine is $10 million or 2% of the company’s annual revenue, whichever is greater. If it’s a more severe breach, the maximum fine is $20 million or 4% of the company’s annual revenue, whichever is greater.
What You Need to Do to Be Compliant
So, the million dollar question (literally), what do you need to do to be compliant? Make sure you:
Get Clear Consent. Clearly and specifically request consent using plain English before collecting, storing, or using their personal data. At this time, it’s not known if “double-opt-in” will become mandatory. But it can’t hurt to employ the two-step mechanism where a person must confirm their email address after initially signing up.
Allow Individual to Withdraw Consent and “Be Forgotten.” Every individual under the GDPR has the right to withdraw consent and to “be forgotten” (e.g. have their personal data securely and completely deleted). When a person requests this, deletion must be done immediately.
Have a Plan in Place for a Data Breach. In the event that personal data is breached, you must alert the affected individuals within 72 hours. Have a plan in place for handling the breach, which also needs to include a crisis communication component.
Create New Positions. Some brands are creating new positions like “Data Privacy Officer,” specifically to address and handle GDPR. If it makes sense for your brand, go for it.
Use a Data Center That’s GDPR Compliant. Make sure the Data Center that’s hosting your server is GDPR compliant. Compliant centers include Amazon (AWS), Verizon Terremark, Datapipe, etc.
HubSpot also has a handy GDPR Compliance Checklist, too. As technology continues to evolve, it’s likely GDPR will adapt with it. But so long as you’re doing everything you can to be compliant now, you’ll have nothing to worry about.