What is the GDPR & who does it affect?
Do you run a newsletter? If so then get ready for the changes ahead in data protection. The General Data Protection Regulation goes into effect in May of 2018 and will change the way you collect, store and handle email addresses and all user data.
The GDPR states that the regulation applies to the processing of personal data of subjects located in the EU, even if the controller or processor is not established in the EU.
In general, any company that markets goods or services to EU residents can be subject to the GDPR. This is regardless of the physical location of the business itself. This provision in the GDPR essentially makes it a worldwide law. The current and soon to be outdated DPD (Data Privacy Directive) was not nearly as expansive in its geographical reach, and that is partially because it did not plan for the use of digital personal data like IP addresses in data collection.
In practical terms for marketeers, this means reviewing the existing data in accordance with the new regulations and implementing the required changes for the collection, handling and storage of users data. To implement the changes required by the new regulation it is important businesses understand from the top down what is required.
Failure to comply with the regulation carries a penalty of 2-4% of Global Turnover or €20million, whichever is greater. This would be for violations such as: lacking consent to process data or violating privacy by design. For lesser violations like records not in order, or not notifying the supervisory authority or data subject about a breach could result in a fine of 2% of global turnover.
In preparation for the GDPR Checklist you should broaden your definition of personal information to include new forms of protected personal data like IP addresses, mobile device identifiers, geo-location, biometric data. In addition to those, psychological identity, genetic identity, economic status, cultural identity, and social identity are also protected by the GDPR.
GDPR Compliance Checklist
- Determine how you will handle collecting consent of individuals to collect their personal information.Be sure to define very clearly how you will use personal data as to keep trust. Update and simplify your user agreements. Make sure they are readable and easily understandable by the individual you want to collect data from. This will most likely do away with the long, drawn out agreements that we are all guilty of not reading.
- Determine how you will handle requests for how personal information is being handled.The GDPR requires that the information be given to an asking individual in an electronic format in a timely manner.
- Ensure that you have the proper protocols set up to delete individuals’ information upon request.The individuals have the right to be forgotten, so make sure you can fulfil that right with ease in that situation.
- Determine whether you are a Data Processor or Data Controller.Do you simply collect the data, and/or are you a third party that processes the data?Either way, you have to be compliant with the GDPR and are equally responsible for any breach in security.
- Determine if you need to appoint a Data Protection Officer.The answer to this for any company collecting or processing data of individuals in the EU is going to be “yes.” A DPO may be an already established employee.
- Determine how you will design your privacy protocols.Privacy by design is a key element built into the GDPR. Figure out how you are going to get the privacy standards built into your business.
- Discard personal data that is no longer being used.If you’re not using the personal data, there is no reason to risk a potential penalty or fine for the continuation of holding it. Stay on the safe side and discard the data if there is no longer a use for it.
- Conduct an impact assessment.This will help define what the risks of a data breach are, and help address any holes that are found in governance initiatives.
- Ensure you have a plan in place that complies with data breach notification laws.Similar to the point above, make sure you know whom and how to notify if something does happen.
- If you’re a business not located in the EU, determine if you’re liable for the GDPR.While many non-EU businesses will be affected by this, there is an exception with regard to maintaining records of processing. Educate yourself and your staff to be certain if this regulation applies to you.
As we understand the changes in more detail we will update you with examples of forms and data collection in marketing campaigns under the GDPR, May 2018.
More resources can be found here:
Marketo Webinar: Understanding & Working with the GDPR: Engaging Your EU Audience