Many of you know by now that the EU’s General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used.
GDPR requirements will be enforced starting on May 25, 2018, and require organizations to diligently protect personal data, as well as provide proof about how that data is protected.
The goal is to harmonize, modernize, and strengthen data privacy and processing policies across Europe. GDPR replaces Directive 95/46/EC (the ‘Data Protection Directive’) which is out of date due to evolving technology standards.
The GDPR affects ANY business that collects, processes, stores, and uses data from people residing in the European Economic Area (EEA). It affects you whether your organization has EEA headquarters or not, or if the processing itself takes place in or outside of the EEA. This means that whether you have European headquarters, or if you are only a firm with offices or customers in Europe, you need to adopt new practices to ensure full compliance with this regulation.
Why Is the GDPR a Law and What Will It Cover?
Overall, the EU wants to give people more control over how their personal data is used, bearing in mind that many companies like Facebook, Google, and others swap access to people’s data for use of their services.
By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy, and, secondly, to give businesses a simpler, clearer legal environment in which to operate — making data protection laws identical throughout a single market. The EU estimates this will save businesses a collective $2.8 billion (€2.3 billion) per year.
Customers will need to be given choice and control over how their data is handled. To comply, you’ll need to know how the GDPR defines personal data, where it’s located in your business, how it’s used, who can access it, and much more.
For instance, the GDPR sets a high standard for consent, which will have a huge impact on the marketing industry.
There are many new updates to come as the GDPR is the biggest overhaul in EU data protection regulations in more than 20 years. Other areas of focus for the law include:
- The right of consent
- The right to be informed
- The right of access to personal data
- The right of rectification
- The right to be forgotten
- The right to limit treatment
- The right to data portability
- The right to the opposition
- Rights relating to automated individual decision, including profiling
- And many more
Organizations need to start by understanding what data they acquire, then hold and process and the legal basis for it.
Privacy needs to be designed into systems and processes, and respect for data subject rights needs to be stepped up. Policies and procedures for handling any security breaches needs to be in place.
At its heart, however, data protection is about understanding what data you hold and why. Businesses need to review their data protection policies and technology to ensure compliance, and should not be shy about reaching out to their local regulatory body or to a trusted consultant for advice to ensure they get it right.
Be proactive and protect the data you hold, encrypt it, and always keep up to date with your security solutions. Data breaches occur every day. Nonetheless, the EU has just increased the consequences of inadequate privacy. It’s time to adjust in a world of change.
► Learn more about how to prepare for the GDPR in our on-demand webinar in tandem with Return Path: GDPR: Keep Calm, Take Action and Stay Compliant.
- The Definitive Chapter Guide to Re-Permissioning Campaigns for GDPR [Examples]
- 9 Steps Marketers Need to Take Before the GDPR Goes Live [Plus Bonus PDF Checklist]
- What is GDPR? Everything You Need to Know
Dennis Dayman, CIPP/US, CIPP/E, CIPT, FIP is Chief Privacy and Security Officer at Return Path. He has more than 20 years of experience combating spam, security/privacy issues, data governance issues, and improving email delivery through industry policy, ISP relations and technical solutions. As Return Path’s chief privacy and security officer, Dayman leverages his experience and key relationships to provide best practices to Return Path, its customers, and ensures the compliance of their communications data flows. He is also responsible for coordinating and managing Return Path’s international electronic commerce, privacy and Internet-related policy issues.