GDPR is here. Are you prepared?
GDPR, or General Data Protection Regulation, is a new European Union law to protect European citizens’ data and privacy rights. It took effect on May 25. Over the past few months, companies have had to adjust their guidelines and send out updated privacy notices.
The GDPR affects any business or organization that collects and processes the personal data of residents in all European Union member countries by giving people more control over their data. There are strict rules about compliance, and hefty fines for not following them.
The full text of the General Data Protection Regulation law is here. Here is what you need to know about what constitutes personal information, what types of personal information the law protects, how that information needs to be handled, and what penalties exist if information is handled improperly.
What Is Considered Personal Information?
Under GDPR, personal information for European Union citizens includes:
- Basic personal identity information, including name, address, ethnicity, and ID numbers
- Basic internet data, including a person’s IP address, internet location, and cookie data
- Health information, medical history, and biometric and genetic data
- Any type of political leanings or bias
- Sexual identification
What Is Protected?
GDPR gives European consumers protection from data breaks, breaches of security, stolen identity cases, and other issues involving personal information. They have a right to know how their private data is being collected, and to control their data and opt out if desired. Companies must comply with these consumer requests.
How Do Businesses Handle Personal Information?
If your company sells products or services online to any European customers, it is legally required to be compliant with the new law, even if your business isn’t physically located in the European Union. GDPR’s impact will be seen on large advertisers, small e-commerce companies, and many other businesses in between.
Some of the questions companies must ask themselves about personal information and privacy controls are:
- Do we have procedures in place to handle any privacy hacks or breaches?
- Do we have the necessary staff trained to handle personal privacy invasions?
With GDPR in effect, companies must alert all their EU users about any hack, breach, or misuse of their data. In recent months, more companies have done this voluntarily, but GDPR makes it mandatory.
What Are the Penalties?
The fines for non-compliance can be costly. If a company is found not to be in compliance with GDPR, it might face fines of 20 million euros or 4 percent of global revenue (whichever is higher). Fines will handed down according to the nature of the non-compliance or the seriousness of a data breach, among other factors.
Fines can be given to companies that impair the rights of the data subjects, or for inability or failure to put the necessary processes into place.
EU consumers will likely become more at ease with emerging digital privacy practices as a result of GDPR’s insistence on more clarity on privacy and data. But getting compliant with GDPR is the big issue for many international brands and companies. For instance, if an advertising business sends emails to a potential client, those emails would have to be targeted to that person’s role within the business, not the specific person. Emails to potential individuals can’t be sent unless those people explicitly give permission to contact them. Fewer emails to consumers likely means less engagement and thus less revenue.
So, advertisers, you must be more careful when doing business in EU member countries. GDPR will likely lead to companies gathering much less data on consumers than in past years unless they are granted permission by those consumers. Consumers will likely allow just enough basic data to complete any transactions or order agreements. Only time will reveal GDPR’s full impact.