“What is GDPR?” is the most common question we’ve been getting in our inboxes over the past few months. To help more of our users and the email marketing community, here’s what constitutes GDPR compliance.
Privacy protection is garnering attention. In that light, the European Union, to protect EU-based users has passed a new framework to safeguard data and privacy for its citizens.
Evaluate your business today and hold on to your hard-earned data.
Effective May 25th, 2018, GDPR is a list of specifications on how businesses should process and handle personal data. In effect, this regulation is to ensure that private data is processed with transparency under the new law, for a clearly-stated purpose, with end-user’s consent. Once fulfilled, the data should be deleted, provided there are no legal-binding regulations in the country or business.
The GDPR allows users for more flexibility over what they have shared. Users have the right to access, modify, rectify, delete altogether their data, among other things. The regulation will also set the foundations for a uniform set of data protection policies throughout the European Union. In other words, where there used to be different sets of rules per country, now is . Dated as they were, this radical change in data protection rules was much needed.
Let’s review the facts in more detail:
The new regulation has literally created demand for legal and technical experts, and is moving toward the creation of an entirely new job title (see Data Protection Officer (DPO). To help clarify the landscape for you, here’s a few basic facts you should be aware of:
GDPR is the recent regulation passed by the EU concerning the protection of personal data of customers residing in the EU. This is to replace the EU Data Protection Directive (95/46/EC), and take it up a notch, by adding extra requirements that all startups, B2B and B2C businesses alike, as well as charities must comply with.
The mission of GDPR is to protect personal data and privacy, as well as security. Personal data refers but is not limited to details such as first and last name, email addresses, phone numbers, etc. At the same time, pseudonyms or other data that can be matched directly or indirectly to an individual or company are also considered personal data.
Data controllers cover the “how” and the “why” behind data processing, so it could be anything from a startup to a business to a charity. Data processors are those actually doing the processing (IT experts).
Primarily, GDPR is concerned with a revision of end-user rights.
On a second level, GDPR is concerned with the processes which businesses monitoring, storing, or handling this data set up in order to safeguard their users’ data, proactively and reactively.
By May 25, 2018, you need to have gotten consent from your existing users. Find out more below.
GDPR has been designed so that data breaches cannot occur – but, if they do, there are specific steps to be taken by all GDPR-compliant businesses. As soon as you become aware of a data breach of personal data, notify data protection authorities within 72 hours. For the UK, the Information Commissioner’s Office is the point-of-contact authority.
It goes without saying that within the given amount of time you won’t necessarily have all of the details that will be needed later. What does matter though, is an approximate estimation of the number of people affected, the consequences, as well as your action plan, following this. On the grounds of security breach, a data controller or processor could be fined.
Personal data must be saved in CSV or Excel files, or other common formats so as to be easily transferred to another organization, upon request of the individual. This process is time-bound, and must be completed within a month.
Non-compliance fines could be as high as €20 mn (or 4% of the company’s turnover, whichever is bigger). Meanwhile, Commissioner Denham’s office has stated that higher fines could be claimed in cases of non-compliance in the future. Nevertheless, it should be clarified that awareness and effort to comply with GDPR practices will be evaluated accordingly. Therefore, deciding on a fine will consider a number of things.
According to the EU, GDPR is effective May 25th, 2018. After the announced deadline, fines may apply in cases of non-compliance.
Is your business based in one of the European member states? Then, to certify transparency and security of personal data throughout your company and processes, your EU business must be GDPR-compliant.
Data controllers and processors must appoint a Data Protection Officer (DPO). A DPO is responsible for data protection within a business. DPOs are also in charge of maintaining compliance of the business with the current framework. However, not appointing a DPO could be fined.
You shouldn’t buy purchased lists. Let’s start there. Second, you should not buy lists. This is on the other end of the GDPR compliance continuum. Besides the deliverability concerns, GDPR might allow certain purchased lists, but, in the long run, is this a risk you are willing to take?
If your company processes or stores personal data of EU residents, regardless of where the company is based, you must be GDPR-compliant.
You may or may not get in trouble. Unless you are willing to risk being fined up to $20 mn (or 4% of your company, whichever is higher) or have customers flooding your offices with complaints of abuse for misuse of their personal data, then you will be GDPR-compliant by May 25th, 2018.