General Data Protection Regulation Goes into Effect on May 25
You’d better get ready! Wait … for what?
The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) that will significantly enhance the protection of the personal data of EU citizens and increase the obligations of organizations—including those in the U.S.—who collect or process personal data.
The regulation will be in force on May 25, 2018. This replaces the existing 1995 EU Data Protection Directive, which most of us Americans know very little of, but now we have a big, new GDPR that replaces it. Basically, we are talking about peoples’ privacy rights, which becomes more and more important in our vast digital world full of scammers, spammers, and basically a lot of dishonest folks. The regulation includes several new provisions to bolster the rights of data subjects—it also adds harsher penalties for violations.
Okay, so why all this noise about GDPR compliance? After May 25 your company will need to meet the GDPR requirements. And like most regulations, some companies and organizations will drag their feet to be in compliance. If you are an EU company or an American company selling to an EU company, as noted above, you can be penalized significantly, so take notice.
Why Is this Not a Bad Thing?
We have all been spammed. How many times does your phone ring at home—from no one you ever want to hear from? Well, GDPR is concerned about what personal data we—as a company or organization—collect and store.
An overarching concern is whether or not companies have obtained this data fairly and with consent. With that consent, data subjects need to be informed of the specific purpose for which companies use their data. As well, at the time the information is collected, companies must be clear and unambiguous about that purpose, and parties need to be informed of their right to withdraw consent at any time.
As companies that collect personal data, we need to ensure that we are not holding peoples’ data for any longer than is necessary, and we need keep the information up to date.
There is a whole list of other categories around the issues of safety and security. Some include:
- Is our data safe from hackers and other nefarious individuals?
- Are we protecting sensitive data having to do with genetics, biometric, medical, and more?
- Are we transferring the personal data outside the EU, and if so, do we have adequate protections in place?
8 PRINCIPLES OF GDPR*
- Obtain and process personal data fairly
- Keep it only for one or more specified purposes
- Process it only in ways compatible with the purposes it was initially given—and transparently communicate that with people it is being collected from at the time of collection
- Keep it safe and secure
- Keep it accurate and up to date
- Ensure that it is adequate, relevant, and not excessive
- Retain it no longer than necessary
- Give a copy of personal data on request
Okay, So Why Is this Good News?
As professional inbound marketers, we are also in the consensus business. Our goal is to offer our clients or our clients’ customers valuable information that they may seek and use in the operation of their businesses. We want to gain their trust and offer transparency. So, of course we want to protect their privacy and we want to honor any request to communicate with them only if permission is explicitly granted and our intended use of it is also clearly stated.
In cases where our third-party vendors are processing personal data on our behalf, we want to ensure our contracts with them have been updated to include those same processor requirements under the GDPR. For us and most of our clients, we use HubSpot as a digital communication software. HubSpot is totally committed to GDPR—and many of the references in this blog are thanks to HubSpot.
Difference between GDPR and CAN-SPAM:
The U.S. and EU rules on privacy protection are currently different because the principles that underlie them are very different. Protection of personal data is considered an important basic right in Europe, while First Amendment rights of businesses are important in the United States. This means that the GDPR is opt-in legislation (citizens need to explicitly give consent) while CAN-SPAM legislation is opt-out legislation, where contacts either opt-out or unsubscribe.
GDPR’s scope is vast and the intention of this blog is not to provide an extensive education on it, but to provide a quick heads up and some references.
Three quick takeaways to move forward with:
- You need to be aware of it—and comply—if you do business in the EU
- It will probably inform (near) future legislation in the U.S.
- The privacy and data it means to protect is good for all of us
If you would like a consultation on how to work this into your marketing strategy, contact us.
*8 Principles are provided by HubSpot
For more detail information on GDPR, here are a few excellent resources:
If you'd like help with next steps after viewing these resources, get in touch with us!