To succeed on digital today, it’s imperative to be at the forefront of the constantly changing landscape. The EU’s General Data Protection Regulation (GDPR) is one of those such changes. Consider it your wake-up call.
While the EU is the first to implement these data regulations, it has global implication and signals a new era in how personally identifiable information is managed.
It’s important to note that GDPR is not something new (although you may only have recently heard of it). And it’s not in reaction to the recent Cambridge Analytica scandal. While the timing of its implementation lines up almost perfectly for news cycles, it was actually passed into law in 2016.
This is important to note for two reasons. Firstly, because these recent developments and data scandals have only added fuel to the fire of regulating how data is handled. And secondly, because there is no grace period to comply with these regulations. The time is now -- May 25th is the day the regulations go into effect.
The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25th, with widespread implications for brands globally. These regulations give governing power to how EU member states deal with users personally identifiable information.
These protections extend to anyone within the EU. This means, even if you go on vacation in any EU member state, you would be protected under the GDPR. Due to this, compliance extends outside of companies based in the EU, to anyone who collects data coming from the EU (i.e. if you have a form on your website and someone residing in the EU fills it out).
This type of regulatory action is unprecedented and will require companies to provide the highest level of data privacy protection or receive crippling monetary fines -- the greater of 20 million Euros or 4% of your company’s global operating revenue.
GDPR concerns how personally identifiable information is used and stored by companies. It exists to give the consumer utmost control over their personal data. A key element of this regulation states that any personally identifiable information a company has must use anonymization and be highly encrypted. Meaning, no personally identifiable information should ever be able to link back to the person. All identifiers need to be stripped away when they are stored so the data can’t identify any individual.
This includes information like IP addresses, email addresses, names, location data, birth dates, phone numbers, financial info, religious preferences, biometrics and more. And it must be secure: the countless data breaches common today will no longer be acceptable.
Not only to do you have to ensure you are storing the data securely, you have to ensure the consumer has the ability to monitor, check, control, and if they want, delete the data you have on them.
You may be asking, “This is happening overseas and my business operates within the US. Why should I care about these regulations?”
The short-term answer is that it has the potential to impact you, so it’s worth your time to make sure you’re buttoned-up. Additionally, it signals the future of consumer data protection and we expect to see changes that will directly impact US-based companies at some point in the not-too-distant future.
This act protects data for all users within the EU, wherever it goes. The GDPR breaks out who must comply into two groups:
If you’re not located in the EU, unless you block all traffic coming in from anywhere within the EU, then you need to ensure compliance.
Try this: log into your company’s Google Analytics account and view the geography of users on your site over the last 60 days. Is any of the traffic from countries within the EU?
If you aren’t sold on complying to GDPR, here are some distinctions on if you would be at risk of being penalized by the EU.
It may be enough evidence for the EU to go after you for compliance if your company markets its products in the same language that is commonly used in an EU state, if your company lists its products in EU member state currencies, or if your company utilizes or cites EU customers or users.
These broad definitions leave open an unknown amount of risk for your company. We don’t know how aggressively the EU will go after firms not located within the EU. But mitigating the risk as much as possible is a good idea considering the monetary consequences of non-compliance.
Figuring out how to comply with these regulations can feel like wading through murky water. While Room 214 does not offer legal advice, we've put together a list of areas to consider when entering into conversations with your internal marketing and IT teams, partner agencies, and your legal department to help navigate this confusing topic.
The EU has historically been focused on consumer protection, with a long-standing history of passing legislation that favors the consumer over businesses. Conversely, the US has always skewed more business-friendly.
Given the current administration, the policies from the FCC (i.e.: Net Neutrality), the amount of lobbying, and the size of the data analytics, and tech industry, it is highly unlikely we will see any GDPR-size regulation from the United States federal government anytime soon.
However, while Washington has always been business-friendly, states such as California have taken up the consumer protection flag on their own. It is likely we will see regulations at a state level. California has already introduced the California Consumer Personal Information Disclosure and Sale Initiative, which is on course to appear on their November ballot. If individual states start to regulate data usage, it will create a complex and cumbersome environment for companies to navigate.
It seems that we are in a time of change when it comes to how personal data is handled. With the recent Cambridge Analytica data scandals, the massive data breaches that we’ve been seeing over the past few years, the fire regarding consumer data is only being fueled.