The biggest change in data law for decades is coming into force on 25 May 2018 across the EU. The General Data Protection Regulation (GDPR) replaces the existing Data Protection Directive and applies to all EU member countries. The idea behind the GDPR is that data subjects are protected from companies selling their personal data; they have to be informed at all times about their rights and how to object to the processing of their personal data.
There are several areas marketers must watch out for, with the deadline looming ever closer.
1. How to Avoid colossal new fines?
The worry keeping most marketers awake at night is the potential of being fined due to data law breaches. One of the most shocking elements of the GDPR is how high the new penalties are. Data protection authorities can now impose fines for infringements of up to 4% of annual worldwide turnover, or 20 million euros - whichever is the greater value - creating a fearful weapon to control the use and processing of data in Europe.
The new regulation is a binding legislative act, whereas the previous directive set out data law goals to all EU countries. This means you might have been “getting away” with data law breaches previously, but you could be facing huge fines if you do not get your data in order before May 2018.
2. Do Global companies have to comply?
The GDPR means all of the EU will now have the same law, whereas with the previous directive each country could set their own enforcement levels. Globally operating companies (even those without a European presence) will now have to abide by the GDPR if EU residents’ personal data might be affected, or if their behaviour is monitored. In the case of online marketing, there are a few scenarios where the GDPR would not be applicable, since every website offering a service or goods might be visited by European residents. In other words, the GDPR will become a global privacy legislation, and any business processing the data of EU citizens will have to appoint a representative in the EU.
3. Does Brexit means no GDPR for the UK?
Wrong. In the words of the EU itself: ‘If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit.’
If you trade solely within the UK, the position is a little hazier post-Brexit. The government said it will operate an equivalent or alternative to the GDPR. The EU expects this legislation will largely follow the GDPR, as it was previously supported by the UK government as an effective privacy standard and provides a clear baseline against which UK businesses can seek continued access to the European digital market.
4. Do I have to ditch all my current data?
No. Data already obtained does not have to be deleted. If it has been obtained lawfully under the current directive, companies can continue using it. Consents given under this directive will also not necessarily be invalid. The GDPR states that consents do not need to be obtained again or confirmed by consumers, provided they conform to the GDPR requirements.
The GDPR applies to all processing of personally identifiable information (PII) - any information relating to an identified or identifiable living natural person, directly or indirectly. An IP address, certain cookie data and geolocation data can also be classed as personal data under the GDPR. Browsing behaviour collected to create a profile data will also be considered personal data.
5. How to manage data with third party suppliers?
Do you have a data processing agreement in place for every third-party processing data on your behalf? Review which suppliers you use and if you have an agreement in place. If that's not the case, you need to get data processing agreements set up before May 2018. Regarding consumer consents, the GDPR says consent will only be given for certain data processing by a clearly identified person or party. Using unspecified third parties will result in invalid consent, so beware of this.
The enforcement date of the GDPR is 25 May 2018 - at which time those organisations in non-compliance could face heavy fines. Prepare now for data law changes.