The GDPR legislation is just around the corner. Marketers still have time to learn about GDPR and make the necessary changes before the law comes into effect, but they need to start down that path soon."
The General Data Protection Regulation is a new data protection legislation that replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across member countries of the European Union, to protect all European Union citizens’ information and give them control over their own consumer data, and to reshape the way organizations across the region approach data privacy.
GDPR will come into effect on May 25th, 2018 and will impact all marketers doing business in the EU or with EU citizens (independent of residency). Non-compliant organizations will face fines of up to 4% of gross global revenues or $20 million Euros, whichever is higher.
The United States does not have an overarching federal data privacy law. There are federal laws that provide some minimal data privacy protection for certain industries (HIPAA, FCRA, FTCA, COPPA, etc.) but otherwise data privacy is based on state law. In fact there are 48 different laws within 2 states, Alabama and South Dakota and, as of mid-2017, none of which deal with personal data security breaches. While the new GDPR law requires more of marketers, they will also get the benefit of uniform data protection laws.
At the heart of the newly defined rights of individuals is control. The key areas they will now legally control are:
GDPR protects both EU citizens and EU residents. Previous EU legislation focused just on the residency of the customer but with GDPR, the legislation is now expanded to include residency or EU citizenship. If a marketer has customers who are EU citizens and the marketer controls or processes customer data as part of a sale of goods or services, communications, etc., whether the marketer is physically in Europe or elsewhere, GDPR regulations apply. It is important to note that the legislation is somewhat inconsistent in its terminology on this point, which has led to some confusion but all industry and legal experts we have spoken to support this interpretation. Coupled with the recent Equifax and Uber data breaches, and the 2017 U.S. Executive Orders reducing data privacy rights, specifically those of non-US citizens, we fully expect the EU to enforce this law in a way that best protects its citizens.
Personal Data includes all PII data but goes far beyond that concept. Marketers need to be thinking in terms of Personal Data going forward, not PII. Personal data includes, but is not limited to, identifiers such as a name, email address, phone number, an identification number, location data, an online identifier, or one or more attributes specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. Personal Data is different than PII because it includes not only directly identifiable things like email address, but also the concept of indirectly identifiable data points such as sex, race, income and much more. Consider the example of age. By itself age cannot be used to identify an individual out of a large group. However, in combination with gender, zip code, birth month, etc. someone could reasonably identify an individual. This indirect concept is why the EU has not published a list of personal data points and why they will not do so in the future. There are also special data types that are afforded extra protection as they can easily be used to discriminate.
Special data types are categories of sensitive personal data such as racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status, and sexual orientation. Processing of these types of data is allowed only under specific conditions so as to protect data subjects from potential discrimination.
Yes, a data retention policy is required. This should incorporate key GDPR concepts including data minimization and erasure of personal data in scenarios that are not based on an individual’s request for erasure.
No, in fact it may increase your risk of violating GDPR and other laws like Can-Spam and CASL. GDPR is designed to help marketers understand their responsibilities, not keep them from functioning. For example, maintaining personal data in a safe environment is necessary to safeguard against accidental deployments to opt-outs.
To ensure compliance, marketers should evaluate all their programs, policies, vendor contracts and agreements, as well as data management practices. Any necessary changes should be made prior to May 2018. Here are a few essential areas that marketers should address:
*This guide is designed to provide a basic level of understanding of GDPR and highlight key areas we think are most critical to our clients. This is not legal advice. All marketers should consult their legal counsel to address their unique needs and compliance requirements. As some aspects of the law are clarified or amended our position on some elements are subject to change without notification.
Check out our GDPR library for more best practices to help with compliance: