What is GDPR and how it effects your business
The updated GDPR legislation from the EU is just around the corner, and it unites marketing, IT and legal departments across the EU.
Sine I myself work with data, marketing and communication, I’ve been keen to educate myself on tis topic and this is my guide to the very basics, need to know about GDPR and what you need to be aware of from the marketers perspective in regards to GDPR. Knowledge is as someone famous and clever said – is power as there are so many interpretations of this law, that there are people.
The law is a much bigger organisational question then how do I manage my newsletter subscribers and list. It’s about taking full responsibility for your customers data.
Date updated: 14/1/2018
(I will continue to update this post as I learn and discover more facts, opportunities and resources on the subject of GDPR)
What is it?
GDPR stands for General Data Protection Regulation. It’s a European law (from the European Parliament so this only effects countries within the European Union) which purpose is to protect data for all the citizens within the European Union.
When does it start to take effect?
The new updated legislation was passed in April 2016 and it has a two years transition period and will start to take effect in May 2018. Hence all the recent awareness about the new legislation. The data protection directive was however already established in 1995.
How does it effect your business?
If you conduct business within the European Union, you need to comply with this law. So let’s break it down into smaller chunks;
- If you track IP-addresses and/or cookies – you need to comply with this law
- Personal data – any data that has to do with people in any way, shape or form (from IP-addresses to mobile device identities)
- People under the age of 18, you are not able to store data on (I’m unsure about this one, and I need more information)
- Does this mean that this is everything you need to do and know when doing business/owning platforms within European Union? No, local data laws still complies, on top of this.
Marketing and communication
- You need to ensure that your customer have made an active choice in hearing from you – that your customer/lead has actively given their consent for your company to use their data
At the moment of writing this, from a Swedish perspective, it seems like the regulation is unclear about weather the customers who have made an active choice before may 2018 to hear from your company – per say signed up for a newsletter, that you may keep that data after may 2018. Or if you actually need a renewed and updated consent from these customers.
- Companies need to have a time stamp of the data and consent.
- Your company are now required to document the life cycle of the data, your data processing process (for example profiling etc) and the namnes of people handling the data and ensure to keep updated contact details to reach them.
What actions do you need to take?
- You need to look over all your policy and terms and conditions that are presented to customers and concerns both them and your communication with them.
- Your company need to ensure that you store personal data in such a way that it’s encrypted, safe and that you have processes and protocols in place to protect personal data in a safe way.
- You need to be able to ensure that your company can erase or transfer data, upon a individuals request.
- Should your company handle large amounts of personal data your company now needs a Data Protection Officer.
What is the work-around?
- If you have data that there is no way that you can identify and individual from. (NB – I need more background information on the particulars of this)
What happens if you do not comply to this or some of the points covered in the legislation?
- Companies that does not comply with this regulation can get fined for this – the most severe fine is 4% of your company actual global turnover. Less serious breaches will only incuur 2% – of your company global turnover.
Useful GDPR resources:
This is great checklist which even covers which department you need to involve for which step – GDPR Compliance Checklist from Latham & Watkins