The GDPR takes effect May 25, 2018 and is designed to unify data privacy requirements across the European Union (EU).
There have been a lot of high-profile brands in the news lately that are doing a great job proving that all publicity is NOT good publicity. Watching companies as big and powerful as Facebook, Equifax, Yahoo and Target lose respect—and business—overnight from external breaches or internal mishandling of consumer data should give ALL businesses pause.
And yet, many American companies are still failing to adequately prepare themselves for one of the biggest shifts in data privacy oversight—the European Union’s General Data Protection Regulation.
Whether this is due to procrastination or the misguided belief that European regulations will have no legal consequences for U.S. businesses, the fact remains that GDPR is a global data game-changer. Those who continue playing by the old rules run the risk of ending up in the wrong kind of headline.
What is GDPR?
Taking effect May 25, 2018, the EU General Data Protection Regulation (or GDPR) is designed to establish stronger, more unified data protection laws across the entire EU. Under GDPR, consumers will enjoy more control over what happens with their personal data once it’s collected by organizations, such as:
The right to be forgotten
Once data is no longer relevant to its original purposes for processing (with conditions), consumers can ask an organization to erase their personal data and stop disseminating it to third parties.
The right to access
Consumers are entitled to a free electronic copy of any and all personal data in possession by an organization, even if their personal data is not currently being processed in any way.
Data portability
Not only do consumers have the right to request a copy of their personal data, they also have the right to give that data to any other organization or entity they choose.
But that’s not all. GDPR also expands organizations’ responsibilities to include:
72-hour breach notification
In the event of any data breach deemed likely to “result in a risk for the rights and freedoms of individuals,” mandatory notifications to customers or controllers must be made within 72 hours of discovery.
Stronger conditions of consent
For those operating in member states, the days of long, illegible terms and conditions forms are over. Requests for data consent—and the purpose of all data processing—must now be provided in an easily accessible form, using clear and plain language. It is also required that withdrawing consent be made as easy as providing it.
Privacy by design
While not a new concept, “privacy by design” will officially become a legal requirement under GDPR. From this point forward, platforms must set the strictest data privacy settings as default parameters rather than forcing users to implement them as add-ons.
Why should U.S. companies care?
GDPR has been in the works for six years, so U.S. companies that do global business involving EU companies and consumers should already be ready for the new regulations. But what about U.S. companies that don’t have a presence outside the country?
Aye, there’s the rub: in the digital age, your company’s “presence” can cross borders whether by design or not. So, depending on the kinds of online commerce and marketing you do, there’s a good chance you could be subject to GDPR and not even realize it.
Better safe than sorry
The gradations of exposure U.S. companies face—especially those whose online presence extends well beyond our borders—are far reaching and complex. Considering GDPR’s steep fines—up to €20 million or 4% of global revenue, whichever is greater—U.S. companies would be wise to start getting their compliance ducks in a row in advance of May 25.
With the recent Equifax and Facebook debacles still fresh in the mind, the drumbeat for tighter regulation here in the States is growing louder. GDPR is likely one of those “genie out of the bottle” events that will transform how all companies and countries approach data security going forward. Smart brands will see the value in proactive adoption.
Wondering if your marketing meets today’s tough data security standards?
Download our FREE Secure Marketing Communications Checklist and find marketing vendors you can trust.
*Our statements/opinions are our interpretation of the General Data Protection Regulation and our blog should not be taken as legal advise.