For marketers outside of Europe (and a surprising amount working within it) the General Data Protection Regulation (GDPR) remains something of a mystery. However, this significant update of data protection law is likely to have a noticeable impact across the world.
Coming into force May 2018, the GDPR has been created to strengthen the data protection rights for EU individuals and this new legislation will affect any European member state business offering goods or services. With the existing laws long overdue for revision and varying between countries, the GDPR aims to provide more consistent, comprehensive protection of personal data rights.
But what does this mean for countries outside the EU – if anything? This is a question that many American (and post-EU referendum UK) businesses are asking. Should you care about GDPR if you’re outside the European Union?
The short answer is that if your company does any form of trade with customers within the EU, then GDPR rules will apply to you if you store, process or share EU citizens’ personal data.
Previously, under the Safe Harbor agreement, American companies could self-certify with their promise to protect EU citizens’ personal data when it was transferred to and stored in the US. The data could be exported without the need to ask for consent.
However, with Safe Harbor deemed inadequate and revoked at the end of 2015, and Privacy Shield heading the same way, any contracts drawn up once the Regulation is in force will need to ensure a similar level of protection to avoid serious punitive action. And we mean serious – contravening the GDPR can result in fines of up to 4% of a company’s global annual turnover, or €20 million (whichever is greater).
Creating and adopting a similar set of laws on a par with GDPR is likely to be the course of action taken by ‘Brexit’ Britain, too. Not just because doing business across Europe will continue to be important for the UK, but because GDPR sets an improved code of marketing practice that consumers will demand. UK customers are likely to want the same rights and levels of protection as their European neighbors, and why wouldn’t business want them to have a greater level of trust in their brand?
So, what are the most notable regulations that US and UK businesses should take note of? They include:
- The right to be forgotten: Individuals will have the power to object to their data being processed and the right for their data to be erased
- The right to access their own data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way via Subject Access Requests (SARs). Plus, a right to data portability, making it easier for the transfer of personal data between service providers.
This ease that consumers can request SARs has the potential to be a serious headache for organizations. Businesses that process such personal data will be required to stipulate what data they store, the recipients of the data and what they use it for, in most cases within a month and supplied free of charge.
- The right to know when your data has been hacked: Organizations must notify the national supervisory authority of serious data breaches as soon as possible (normally, within 72 hours) so that users can take appropriate measures.
- Marketing consent: The GDPR has refined the rules for obtaining consent and how valid consent needs to be demonstrated. Organizations will be need clear records to show a date of consent, what has been consented to, the method of consent and who obtained it.
Existing in a world with a global marketplace means that GDPR cannot be ignored and now is the time to ensure that your company is prepared for how the changes could affect them. Ensuring compliance now, while there is still some time to get the appropriate systems and processes in place, is likely to be complicated and costly – but it could save you a whole heap of trouble come 2018.
Sign up to JOIN DIGITAL 2018 to discover what's next for marketers now that the GDPR deadline has passed.