What is GDPR and How Does it Affect my Company?

GDPR is looming. Everyone panic!

As you might have heard in the news recently, the GDPR (General Data Protection Regulation) is a big deal for companies marketing to consumers in the UK and Europe. It’s also old news. In place since 2016, this sweeping legislation is only now starting to get some traction in the US media because the law goes into effect in a little over four months. And a lot of US companies are just now realizing the law applies to them.

For those unfamiliar with the legislation, the GDPR is a European Union (and UK, post Brexit) data protection law  that will go into effect on May 25th, 2018. While it is European legislation, the GDPR impacts ANY company targeting EU or UK consumers. This means that a US company that markets a product to a European audience must comply with the law…technically speaking. We haven’t yet read how the EU will enforce the law or penalize US companies. But, for clarity’s sake, let’s assume they’ll figure those details out.

What does the GDPR require?

The GDPR is comprised of 99 articles, the text of which would fill hundreds of printed pages. The basic, broad-stroke description of the law is that it defines how a company may gather, store and use the private data of EU citizens. It also defines what a company must do if those data are lost, stolen or hacked in any way.

Exactly what rules your company will need to comply with will depend on factors like …

  • Are you marketing to an EU or UK audience?
  • Are you gathering personal data from that audience?
  • Are you asking for consent for all of the campaigns you send to the EU audience?
  • Are you storing private data such as credit card numbers or other personally identifiable information?
  • Are you processing private data and using it for other purposes like future marketing programs?
  • Are you sharing marketing data with other entities.

How do you comply with the GDPR?

To comply with GDPR a company must put in place data gathering and management processes that conform to the GDPR rules. Those rules dictate how a company is allowed to gather personal data from its customers and potential customers and how those contacts must be allowed to delete or modify their data in the future. The law also stipulates what must happen in the event the data are hacked, compromised or lost.

If you or your company answered yes to the questions above, you will need to familiarize yourself with the GDPR specifics and requirements. Some of the important new regulations, as paraphrased by EUGDPR.org, are:

Consent
“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​”

Breach Notification
“… breach notification will become mandatory in all member states where a data breach is likely to ‘result in a risk for the rights and freedoms of individuals.’ This must be done within 72 hours of first having become aware of the breach.”

Right to Access
“… the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.”

Right to be Forgotten
“Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”

If you feel that your organization may be impacted by this new regulation, please feel free to contact us to discuss implementing any changes required by the May 25 deadline.

Additional Resources