If you work in the world of marketing, you may have heard the term GDPR tossed around a lot lately. As of May 2018, the European Union (EU) changed its data privacy policies to better protect consumers’ personal data. These changes not only affect companies within Europe but U.S business and consumers that work with European customers, as well.
While data privacy has always been a topic of debate, it has become even more prominent in the news, especially with 87 million people affected by Facebook’s data breach. In this day and age, with technology constantly advancing, privacy is becoming more and more important to protect.
What is the GDPR?
The General Data Protection Regulations (GDPR) are essentially the rules that protect a person’s personal information and dictates how that information can be used and processed. The 28 countries throughout the European Union, as well as the European Economic Area, will be under the jurisdiction of the GDPR.
Think of it this way. It’s basically like a corporation giving the power of choice back to the individual. Now, businesses either in the EU or associating with people in the EU must adjust their privacy policies so natural persons (you, the citizen), will be able to better choose what you want companies to have access to and what you want to keep private. An official list of the rules can be found here.
So, What’s Changed?
The GDPR is actually not the first data protection regulation to have been set in place. It has replaced the Data Protection Directive created in 1995 by the EU as a means to expand and delve further into detail on citizen’s privacy rights.
The DPD at its core is based on seven principles:
- Notice – The individual whose information is being used deserves the right to receive a notification.
- Purpose – The data that is collected should be used strictly for its intended purpose only and nothing else.
- Consent – The owner of the data should give clear consent before their data is shared.
- Security– The data that is collected deserves to be kept secure from potential abuse or misuse.
- Disclosure– Those who have consented to give their personal data are allowed to know who specifically will be collecting it.
- Access– The data subject has the right to access and correct anything that is inaccurate.
- Accountability – If a data collector should break any of these principles, the individual who has consented should be allowed to hold such a business accountable.
Now, you may be thinking that already sounds pretty solid, but there were still a number of gray areas. For example, under the DPD, personal information was defined as items like your name, birthday, social security number and email address; however, it’s important to remember the DPD was written in 1995, and technology has grown substantially since then. The GDPR covers even more personal information such as IP addresses, mobile device identifiers and biometric data. The DPD also held ambiguous rules on asking for consent, which the GDPR has since explicitly defined.
The GDPR has expanded on these principles and added many details to clear up any misunderstandings between businesses and consumers in regard to consumer rights. We can break down the important updates for a better understanding of the specific changes.
Expanded Coverage of Individuals
The original protection coverage from the DPD was much more vague and blurred; however, according to the GDPR Portal, even if a company is not located in the EU’s jurisdiction, it still must comply with these new rules in case the individual whose data is being processed is within the EU. Vice-versa: If a company resides in the EU but collects data from outside sources, they must follow the GDPR protocol.
However, should a citizen from the EU travel to a foreign country, they are no longer under the jurisdiction of the GDPR. Businesses catering to citizens located outside of the EU are not required to adjust their privacy policies, regardless of where their customers are from. Conversely, should a foreigner travel to the EU, they are immediately protected by the GDPR. You don’t have to be a citizen of the EU to receive the same rights; as long as you are within the EU, you are protected.
Clear Consent from Data Subjects
In the past, companies could hide forms of consent within lengthy text of legal jargon and terms an individual may not understand. These new regulations are much stricter in stressing that clear and concise forms of consent must be presented and accepted by consumers. It is also a new regulation that consumers can take away their consent just as easily.
Have you ever made an account on a website, and you are later bombarded with offers, deals or the latest trends, yet you don’t remember agreeing to receive them? Have you ever spent a fair amount of time looking for that ‘Unsubscribe’ button that’s hidden at the bottom of the page in small font? Perhaps your location is being used when on a certain app, and you would like to turn it off but cannot find out how. The new consent guidelines through the GDPR as explained by the United Kingdom’s Information Commissioner’s Office (Yes, the U.K. must also comply with these regulations!) helps alleviate some of that stress regarding consent.
The rules regarding consent have been clearly laid out by the GDPR and are broken down into the following:
- Clarity – Consent, when needed, should be given in a clear and concise manner. It must be unambiguous and straightforward.
- Choice- According to the GDPR standards, it is strictly prohibited to offer pre-ticked boxes of consent to consumers. They must freely choose whether or not to give access to their personal data.
- Specifics – The method of asking for consent must be asked specifically each time data is collected.
- Withdrawal – Consumers should have an easy out if they no longer wish to allow companies to access their data. They also must be informed that they are allowed to withdraw at any time.
- Existing Consent – Existing consent may need to be updated with the GDPR’s new standards. Businesses must update and revalidate existing consent should they not meet the aforementioned updates.
The ‘Right to Access’
Once a business has given explicit detail of what kind of data is being collected, the consumer is then allowed to know for what purpose, who specifically is getting it and for how long it will be used. They are also granted information on their right to have their data erased, the opportunity to contact authorities should they be needed and also the knowledge of how their data is protected should it be transmitted to a third-party.
The ‘Right to Be Forgotten'
Along with the ability to access the specifics of their data collected, consumers can also request their data be deleted. This right to erasure also means that as soon as a data collector is finished with your information, they must delete it immediately or cease processing through third-parties. There are steps that must be taken to achieve this request, such as allowing individuals to retract their consent either verbally or in writing. Businesses have at most one month to comply.
It is important to note that while consumers do have access to data erasure, it is possible to have such a request declined should the information collected coincide with the freedom of speech, a legal obligation, for public interest, historical or scientific research or with regard to legal claims.
What Are the Reprimands?
As businesses worked to update their privacy policies, they also wanted to avoid hefty fines. The GDPR details what kinds of trouble companies can get in to if they violate these data protection rules. This includes at its greatest, a global turnover of 4% or €20 million fined—whichever is greater. These reprimands will be determined along with how compliant the business is with the consumer in rectifying a breach of the rules, as well as in what manner the rules were broken. Should a data breach occur, companies have up to 72 hours to alert their consumers.
Tips for Helping Your Brand Comply
- Let customers know their rights! These are some hefty regulations. Displaying that you’ve updated your privacy policies shows that you care about your consumers and want them to trust your business.
- Be as transparent as possible. If your business wants to collect data from its customers, you first need to make sure they trust that you’ll handle it well. Let them know why data sharing is important in continuing to build and market a business. The customers matter.
- Hire a data privacy officer. From the moment the GDPR was launched, all technology developed thereafter should be run through a Data Privacy Impact Assessment. This basically ensures that newer technology has been GDPR approved from its creation. Data privacy officers are there to make sure that the DPIA is implemented, the changes are occurring, privacy notices are updated and businesses are overall complying with the updates.
- Know that the GDPR is here to help make your business better. These regulations are set in place to show that data collection can be safe and useful in helping pave the way for future marketing.
- Check out our blog on how to market through email where we lay out the best ways to continuously market your brand and help ensure you are following GDPR guidelines.
We now have a better way of gaining and keeping the trust of our consumers with the updates of the GDPR. With clearer guidelines on consent, usage and methods for obtaining data, people can finally get back to browsing, shopping and Facebook-ing—with less worry of privacy breach.
What We Can Do for You
At Concentrek, our team can work with you on the best and most efficient ways to market your brand to consumers and ensure you properly comply with all GDPR regulations. Have a project in mind? Contact us today!