NOTE: This material is for general information only and is not legal advice.
A new piece of legislation has been enacted in the European Union (EU). This blog aims to inform and educate people on its effects on marketers and individuals alike.
On May 25, 2018, a landmark privacy law called the General Data Protection Regulation (GDPR) took effect in the EU. This is the most significant piece of privacy legislation crafted by the EU within the last twenty years.
GDPR expands the privacy rights of EU individuals and places new obligations on all organizations which market to, track data for or handle any EU personal data. It lays out specific requirements for data collection, storage and use, and imposes potentially devastating fines on companies with poor data-handling practices or whose negligence leads to data breaches.
Why does it matter?
GDPR is intended to give European citizens a set of digital rights over their personal data and is comprised of a new set of rules governing the security and privacy of data with respect to how it is processed, stored and used.
Prior to May 25, 2018, practices surrounding consumer data operated under an assumed consent philosophy, in that unless a consumer specifically asks that their personal data be removed (opt-out), it is acceptable for a company to use consumer data as desired, with the sale of consumer data for profit being an exception.
GDPR completely flips this philosophy. All consent must be opt-in consent – there is no such thing as “opt-out consent,” as failure to opt out is not consent.
What if a company isn’t in the European Union?
GDPR applies to any company which collects data on EU citizens, regardless of their physical presence.
What type of data is protected by GDPR?
All personally identifiable information (PII) falls under the new regulations. These include, but are not limited to: names, addresses, phone numbers, email addresses, account numbers and IP addresses.
What are the new requirements?
- Privacy by design – minimizing data collection and retention to only those pieces which are necessary as well as gaining explicit consent to collect, process, store and maintain data (opt in, not opt out).
- Right to be forgotten – the consumer has a right to request their data be deleted not only from the immediate system but from all third-party data sources with which the data has been shared.
- Breach notification – companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered.
- Demonstrate compliance – companies must maintain adequate records to show compliance including tracking what data is stored and for what reason as well as who has access to the data and how it is processed.
What your company should be doing to comply with GDPR
- Data classification – know which EU personal data is stored in your system and in which format.
- Data tracking – know when EU data was collected, why it was collected and for which purpose it serves.
- Governance – understand who has access to EU data and limit permissions based on roles.
- Monitoring – ensure monitors are in place to help spot unusual access patterns across files containing personal data and have a plan in place to notify users if a data breach has occurred.
Think your organization may be at risk? You can conduct a data protection self-assessment
to determine the level of organizational compliance with data processing legislation. Since each organization and situation is unique, a qualified legal team would be best utilized to provide sound guidance.
For more tips and insights on how to take your marketing from now to next, subscribe to our newsletter or contact Nicole Stone – Senior Vice President, Business Development at firstname.lastname@example.org or 414.270.7235.