Privacy is a topic on everyone’s mind right now. Consumers, shook to the core by Facebook’s recent breach, are beginning to rethink what they put online. Legal and governmental institutions are starting to crackdown on what info companies collect—and distribute. Europe has made it clear that protection of personal data is a top priority.
That’s why they’ll start enforcing the GDPR (General Data Protection Regulation) on May 25, 2018. Passed by Parliament over two years ago, the major legislature couldn’t go into effect at a more relevant moment. But what exactly does the GDPR mandate? Essentially, it requires users to consent to data collection and processing.
Data is a broad word, though. It can encompass a whole lot of s**t. Data covered under the law includes, but is not limited to, the following:
The whole aim of the GDPR is to restore power to users whose data has been stored, or stolen if we’re being frank. While some people may be savvy enough to understand what happens to info online, most can’t fully grasp the depth of what some companies know about them. Moving forward, all companies must ask users if they can access their data. And the asking language can’t be obscured by dense, hard-to-follow legal jargon. Users can also request things like data deletion, personal copies of their data and more. Batten down the hatches. We’re on the cusp of a data revolution.
There are two classes of data handlers when it comes to personal data: controllers and processors. Here’s the difference between them.
In the event of a breach, data processors are required to notify users whose data has been compromised within 72 hours. Per the BakerHostetler Data Security Incident Response Report, that response time isn’t even close to being met. In 2017, overall incident response times with user notifications were a shameful 38 days.
Data controllers and processors need to have proof that a user opted-in to allow them to handle any personal data. Passive opt-ins don’t apply comply with the data protection law, nor does Grandfathering. Just because a company has personal data before the law is enforced doesn’t mean they have a right to it. They must enact an opt-in campaign to get user permission to the data.
You’re probably thinking Europe is far away, I’m safe. Wrong. These regulations will indeed have global influence. It’s all due to a clause that deems the regulations applicable to ANY company that provides goods or services in the EU or processes ANY EU citizen data. Can you hear the nervous gulps? Perhaps one of them is your own. Most modern businesses sell internationally, including to the major markets found across the pond. Marketers working for those businesses will undoubtedly get caught in the crossfire.
If you use Google Analytics, you’ve received an email about their new data retention settings or have seen the notice. This is a direct result of Google’s efforts to become GDPR-compliant. More changes are to be released by May 25th, such as being able to delete user data based on Client ID or User ID.
Website registration info, sales and marketing databases, email lists—the number of tools and data-driven marketing assets jolted by the looming GDPR is huge. Don’t think you can walk away unscathed. It’s time to determine its effect on you, your business or your clients. Get moving to ensure GDPR compliancy in time, or at least until U.S. legislature catches up.