In light of the Cambridge Analytica/Facebook privacy scandal this year, many organizations and countries are shifting efforts into high gear to hold entities responsible and bring power back to the consumer. At the forefront, the European Union is setting the standard for data protection policy via the General Data Protection Regulation (GDPR), which becomes effective May 25th, 2018.
What is the GDPR?
The GDPR is a revised EU data privacy rule that was passed in the European Union in April 2016. It is designed to replace the Data Protection Directive and will help bring continuity across Europe in terms of data privacy laws (www.eugdpr.org).
What is personal data?
According to the EU Commission, personal data is defined as, “information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data” (ec.europa.eu). Also, data that has been encrypted or pseudonymized but can be used to re-identify an individual, falls under the GDPR scope, too. Examples of this include an individual’s name; any identification number; location data; and online identifiers like cookies, mobile IPs and even search engines.
What are the key changes?
The General Data Protection Regulation seeks to “improve transparency and effectiveness of data protection activities” (smartinsights). The GDPR reform is an effort to harmonize data regulatory policies and bring power back to the citizens.
Arguably, the most significant change is that the conditions for consent have been strengthened. Previously, consent forms have contained confusing legal language and lengthy, unclear jargon. The reform states that businesses must be able to explain and obtain clear consent for all European new and existing data subjects. Such consent identifies how the organization will “use, store and manage their personal data,” and for how long. Contrary to current practice of many organizations, the purpose of data collection must be communicated in a clear, concise and unambiguous manner.
Breach Notification & Right to Access
The GDPR addresses several changes to the rights of data subjects. Firstly, if a breach or hack occurs, the user must be notified within 72 hours of becoming aware of the breach occurrence (ec.europa.eu). In addition, users have the right to access a confirmation as to whether personal information is being processed, at any point. At the same time, any and all requested personal information pertaining to said subject must be provided in due time, free of charge.
Right to Be Forgotten
Originally, if an organization or entity had to “work for your data, they own it,” and you cannot retrieve it again. The reform now addresses this issue by enabling consumers to not only own their own personal data but give them the “right to be forgotten” at any time.
Lastly, users should be able to download their data in a machine-readable format, such as a CSV file at any point in time. Unlike the Right to Access element that states all personal data be given and how it was used, downloaded data only has to contain data explicitly given by the user (fastcompany).
Why is this relevant?
In today’s global nature of the internet, nearly every facet of the online world is affected. For any business that offers an internet service and is not fully compliant, even if just one user is an EU citizen, non-compliant charges will be enforced.
The marketing industry will face challenges with the implementation of the EU GDPR but must align their practices with the principles. The implications are much grayer at this point. Users must provide consent to the entire processing of data, meaning the information notice must fully reflect the extent of data processing. GDPR principles indicate that any data collected must be used solely for the purpose of the campaign and consent has been granted lawfully. Any data or information collected for a particular campaign cannot be used for another purpose unless further consent has been granted. Additionally, many businesses are choosing to have an “opt-in box” so they can record and clearly illustrate how the data subject gave consent.
Many suggest that practitioners who will be most heavily impacted are email marketing managers, marketing automation specialists, and public relations executives. As the concept of privacy by design is introduced as a legal requirement in the GDPR, designers are forced to ensure that privacy is weaved into the design of systems and not just as a secondary component. Data collected should only be crucial for the function leading to the reevaluation of what constitutes necessary data at every step. The new policy will force all data privacy to become an integral component to every organization, from system design to product development.
Who will be penalized?
Given the extent of the online network and the number of players involved, questions still remain as to who will be condemned if a shared partner or connection violates the new data privacy rules. In the past, most companies have aimed for a single set of privacy rules for all users across the globe. However, pending future changes, many are opting to create a separate set of privacy rules just for its EU users. This may evolve to European users experiencing an entirely different internet from the rest of the world.
Failure to reshape any and all necessary data policies will result in a steep fine of 4% of the company’s global turnover or €20 million (whichever greater). However, this is the most severe of fines and will most likely be distributed in a tiered system manner as follows:
Tier 1: €10 million or 2% of total annual global turnover (not profit) of the preceding financial year, whichever is greater
Tier 2: €20 million or 4% of total annual global turnover (not profit) for the preceding financial year, whichever is greater (www.eugdpr.org)
How can you prepare?
As a business operating in the digital world, it is important that preparations are made to ensure policies are followed. Can you answer the following questions?
- How are you collecting data?
- How are you using the data?
- Who are you sharing the data with?
- How are you storing the data?
- Finally, how are you deleting the data?
To read the EU GDPR regulation, CLICK HERE.
If you’d like to learn more about online privacy issues facing brands, online marketing of data best practices, contact the digital team at Morgan & Co.