BACKGROUND on EU’s General Data Protection Regulation (GDPR)
As of May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will become enforceable for companies that collect or process the data of individuals within the EU. Adopted by the European Parliament and Council in April of 2016, GDPR grants EU residents greater data privacy and offers them more control over the use of their personal data.
With less than one month until the enforcement date, many international brands and tech companies are evaluating their data collection practices to ensure that they are compliant with the regulation’s new guidelines. Established to replace the existing Directive 95/46/EC, which was created in 1995 and proposed similar guidelines around data protection for EU citizens, GDPR is meant to deal with rapid technological development and increasing globalism.
While the regulation was created to protect individuals living within EU member states, GDPR also includes implications for companies outside Europe. The legislation acknowledges the importance of data in a global economy and seeks to ensure that the data can be safely used by entities inside and outside the region.
Most notable for organizations evaluating their data practices is the heavy fine that can be levied against those violating the regulation’s rules. GDPR promises a tiered fine of either up to 4% of a company’s gross annual revenue or up to 20 million Euro, whichever is greater. Fortunately for many US-based businesses, the regulation will only apply under certain circumstances, outlined in the final section of this POV.
RULES CITED WITHIN GDPR:
There are several specific rules within the regulation. Data processors (advertising networks and data analytics tools) and controllers (businesses and data companies) must adhere to these specific rules if they are to remain compliant. The rules include:
CLEAR CONSENT
The primary purpose of GDPR is to strengthen the conditions of consent for individuals (“data subjects”) whose data is being collected. For this reason, the regulation states that users must now opt-in to data sharing, rather than it being the default setting. Additionally, it must be as easy to withdraw consent as it is to give it.
BREACH NOTIFICATION
Data processors and controllers that have collected information on citizens of European Union states are now obligated to notify the public within 72 hours of a known data breach.
RIGHT TO ACCESS
Expansion of the rights of individuals is also a major stipulation of GDPR. Within the regulation, individuals whose data has been gathered have the right to know if data about them has been collected and for what purpose. Data controllers must also provide a copy of personal data, free of charge, if requested.
RIGHT TO BE FORGOTTEN
Should data no longer be relevant or should a data subject withdraw consent, data controllers may be required to erase data, cease the dissemination of data, and/or halt third parties from using the data.
PRIVACY BY DESIGN
Now a legally binding guideline during system creation, data controllers are required to design data collection systems with privacy as a forethought, rather than as an afterthought.
DATA PROTECTION OFFICERS
Finally, data controllers and processors that monitor data subjects on a large scale must appoint a data protection officer to oversee adherence to GDPR. Note that the scale is undefined within the regulation.
WHAT GDPR MEANS FOR MARKETERS
The first distinction marketers must make when determining if their business falls within the jurisdiction of GDPR is whether the organization actively targets and processes the data of EU citizens. A company is not subject to GDPR if its website is discovered through a search engine or social network without any targeting or customization that aim to attract the European user.
Companies inside and outside of Europe that do intend to target and process the data of EU citizens, including international ecommerce websites and digital services, must comply with all aspects of GDPR. Businesses targeting those within the regulation’s protection should work to become compliant by the May 25 enforcement date, adding data consent fields, ensuring data can be removed from systems, and possibly appointing a data protection officer.
To clarify the distinction between which entities are affected by the regulation and which are not, the following two business cases reflect an example of each. The first is a motor vehicle insurance company that operates only within the United States. This business would not be required to follow GDPR because it does not market to European citizens. By contrast, a clothing manufacturer that does business internationally, including selling to consumers in the EU, would be required to adhere to the regulations.
Additionally, although many of the data processing systems utilized by marketers have been updated to adhere to GDPR – platform updates have been announced for Google Analytics, Google AdWords, Facebook, and many other tools – brands and marketers are still liable for the data collected through these systems. Even if a system is compliant, the use of that system by a data controller to market to EU citizens places the responsibility on the company using the system.
Regardless of whether a company is subject to GDPR, the weeks leading up to its enforcement date offer marketers and data managers time to evaluate the data practices of their own organizations and of third-party data processors. Increased transparency and more mindful consideration of what data is collected and why will benefit the industry overall.