When I first heard the rumblings of GDPR (the General Data Protection Regulation) I was intrigued but only paid a modicum of attention. After all, this was for the EU and I was in Texas, so it wouldn’t affect me but I thought it was an interesting step in the right direction to help build and preserve users’ rights to privacy.
But guess what? It doesn’t matter if you’re in the EU or here in Austin, TX—if any of your traffic comes from the EU, then the GDPR applies to you, too. SO, what do American companies need to do to prepare for the new European legislation?
We’re going to cover that in today’s blog. Let’s go!
GDPR: The facts
When does the GDRP go into effect?
May 25, 2018
What is the GDRP?
The General Data Protection Regulation is a new European Union regulation going into effect in May of 2018. Its main focus “aims primarily to give control back to citizens and residents of their personal data and to simplify the regulatory environment for international business by unifying the regulation with the EU [Wikipedia].”
The TL;DR version: The GDPR is a regulation that aims at helping users keep their information private and giving them more control over how their data is put to use by the companies/platforms that collect it.
How is the GDPR different from the DPD?
While many have defined the difference between the GDPR and the DPD as an enhancement of current protection of user’s data, the differences go far beyond that. Here are some (but not all!) of the things that make the GDPR a different beast altogether:
It’s a Regulation, not a directive.
A directive is more of a suggestion—it can be followed as each country sees fit. A regulation must be followed as stated by the entire EU without exceptions.
Sovereignty over data
Users don’t just have the option to opt-in to sharing their data, they must explicitly allow their data to be used. Not only must they consent to the use of their data, but the onus of the business is now to tell users exactly HOW their data will be used.
A new definition of “Personal Data”
No longer a slightly hazy term, the GDPR has created a more concise definition of what falls under the “personal data” definition umbrella: Any information that can directly or indirectly identify a person. Data points like name, location, IP address, etc. are included in this list. Even data that has been key-coded can fall under this new definition, so businesses need to make sure their GDPR readiness includes this!
A new set of rights
A new set of user’s rights has been identified as part of the new regulation. We’ve listed them below with a very quick definition but more comprehensive definitions can be found on the ICO’s website:
- The right to be informed. Individuals have a right to know about the collection and use of their data.
- The right of access. Users have the right to access the information you have about them.
- The right to rectification. Users have the right to have inaccurate information corrected.
- The right to erasure. Also known as “the right to be forgotten,” this ensures that individuals can request that their data be erased.
- The right to restrict processing. An individual may request that their personal data not be used for the purposes you’ve intended. A business may store the data in this situation but not use it.
- The right to data portability. Users should be able to move, copy, or transfer their personal information from one “IT environment” to another.
- The right to object. Users may object to the use of their personal data in instances of profiling, direct marketing, and research.
Who does the GDPR effect?
While this is a EU regulation that effects the citizens and businesses within the 28 countries of the EU, it has a far wider reach.
If you are a business outside of the EU that markets its products to consumers in the EU and/or monitors the behavior of people in the EU the GDPR applies to you, as well.
A lot of current information simply states that the fine is 20 million euros (roughly 24 million US dollars) or 4% of the annual revenue of the offending business—whichever is bigger. But, rest assured, you’re not going to wake up one morning to a 20 million Euro bill in your mail box. The GDPR violation fines are divided into “Lower Level” and “Upper Level” quantities and 10 criteria have been identified as a way to determine the amount of the fine of a non-compliant business.
The 10 criteria are:
- Nature of infringement
- Preventative measure
- Data type
The lower level fines are up to € of the prior financial year—whichever is higher. PS: That’s still terrifying.
The upper level fines are those scary numbers from earlier: up to €20 million or 4% of the revenue of the prior financial year—whichever is larger.
What do you need to do to get GDPR ready?
While we can’t give you specific advice for your business, we have come across some great resources that we want to share to help other companies get ready.
THIS checklist from Hallem is the best one we’ve found so far, so be sure to check it out. It covers what you need to do for your website:
Make sure your forms have active opt-in verbiage. The current marketing trick of asking for an opt-out instead is no longer going to cut it.
Unbundle your opt-in options. The GDRP requires transparency when it comes to data tracking and usage which means you need to be very clear to your users about how and why you track and store their data and if they want to be a part of it. We’ve seen opt-in forms for both Terms and Conditions and Contact permission.
But wait, there’s more (opt-in)! If you have many forms of processing like direct mail, email marketing, text, etc. You’ll need to be clear about this, as well, and make sure your users have the ability to choose how you use their data in a pretty granular way. The example below is from the aforementioned Hallam article:
Make it easy to opt-out at any time. This is not a one and done situation. A user may decide to opt-out at ANY time in their relationship with you and so you need to be ready to remove them from your database. The safest bet is to allow users to opt out of specific forms of communication, change the frequency of communication or opt out entirely. This is already in practice for a lot of content marketing, via a manage subscriptions option you’ll often see with newsletters and other email marketing tactics.
Name names. If you have multiple brands or work with 3rd parties, these need to be part of your opt-in strategy as well. Make sure you clearly define your other brands/3rd parties so your users can choose what they want to see.
An example from the Information Commissioner’s Office (ICO):
Online Payments, too! A lot of businesses are opting to change their e-commerce process to remove any personal information gained from an online transaction after 30-60 days. While the GDPR doesn’t explicitly state a time frame, it’s best to err on the side of caution.
Here is an example of one from the UK grocery chain Sainsbury’s:
Some other sources
Still need some information? Good! Here are some places we recommend:
- EUGDPR.org is a website resource that gives some great, easy to understand information.
- HubSpot GDPR Compliance is HubSpot’s information page about the GDPR, some FAQs, and changes it’s making to its software to help its partners stay compliant.
- The Information Commissioner’s Office has an comprehensive guide.
- For more information on the 10 criteria and GDPR fines check out GDPR EU.org’s page on Fines and Penalties.
- Want to read the entire GDPR? Ok, you weirdo, read it here.
What are WE doing?
Envision Creative was FOUNDED because we wanted to create an agency that was more client-focused and we’re strong believers in transparency and respecting our clients’ and users wishes. We’ve updated our policies and are working with HubSpot to make sure we’re not taking any actions that users haven’t opted into. We don’t specifically target UK users but that’s not the point—if we can do something to make your experience with us just a little better, we’ll do it!
Any questions? Let us know and we’ll do our best to answer them! Have any resources to add? Share them in the comments.