GDPR. If you or your clients are working with any data that crosses into the European market, this abbreviation (which stands for General Data Protection Regulation) is likely burned into your subconscious and has been since 2016. But if you don’t, you may have just started hearing this acronym in the news recently.
So, what exactly is GDPR?
As the world of technology expands, so does the amount of personal data that’s being collected. Questions abound: What data is being collected? Is the data stored properly? What happens in the event of a security breach? Can a consumer find out what personal information of theirs has been shared with a company? And so on…
That’s where GDPR comes in. GDPR is binding legislation that outlines data collection and protection requirements across the European Union. After recognizing the lack of updated data protection laws, the European Union Commission passed GDPR in 2016 to protect consumer information and make data collection more transparent. Following a two year transition period, GDPR goes into effect on May 25, 2018.
Under GDPR, businesses worldwide can only obtain and store data from European users if they have a lawful basis for doing so. In other words, marketers must obtain specific approval from consumers to gather and keep any personal information like email addresses and browser data obtained through cookies. Each company is also required to provide customers with a rundown of all the data it has ever collected should they ask, plus offer the option to have their data deleted at any point.
Despite its looming launch date, a lot of marketers remain misinformed about GDPR. What’s worse, many don’t fully understand GDPR, the effects it can have on their brand, or how to be in compliance. Let's take a look at four common myths surrounding GDPR:
Myth #1: If I’m an American company, I don’t have to worry about GDPR.
False. GDPR is designed to protect EU consumers, not EU companies. European customers can easily find their way to any website in the world. Whether you’re an American manufacturer, a mom and pop shop in Europe, or a brand that has a strictly digital presence, every single one of your European consumers is protected by the new regulations and you must comply. Since we live in such a globalized world, the odds of GDPR-protected visitors to your site are pretty good, so it’s wise to get on board now.
Myth #2: GDPR was a direct result of Facebook’s Cambridge Analytica scandal.
False. Despite its very coincidental timing with the Facebook scandal, GDPR has been in the works since 2012. The last data protection law was the 1995 Data Protection Directive, and while many technological advances have occurred since then, the European Union Commission hadn’t updated data regulations until now.
Myth #3: The penalties for noncompliance aren’t that big.
False. Just expecting a slap on the wrist couldn’t be further from the truth. While the consequences of non-compliance vary from company to company, European regulators can fine businesses up to four percent of annual global sales. So if your company makes €1 billion, you could face a fine of €40 million — big money. Penalties for smaller firms would be capped at €20 million, but that’s still a costly payout you don’t want to risk.
Myth #4: GDPR goes into effect on May 25, 2018, so it’s too late to make any changes.
False. Think again. Digital marketing tools like Mailchimp and HubSpot have made it much easier for corporations to comply with GDPR. Whether or not your brand employs these platforms or not, this list should help you get started:
- Determine what data your company collects and stores.
- Make sure you’ve obtained the proper consent to keep this data. If you haven’t, send a consent email to your contacts to cover your bases.
- Add a double opt-in feature when collecting emails that asks consumers to confirm that they really want to hear from you. This should happen on your website or any other place you ask for information.
- Check that you’re storing data in a secure location, and develop a crisis plan in the event of a breach.
- Establish procedures to handle requests from users to modify, delete, or access their personal data.
GDPR is here, and it’s definitely not going away. In fact, it’s likely just the tip of the iceberg of broader data protection strategies organizations will need to adopt in the months and years ahead. Don’t let the myths about GDPR lull you into complacency. Instead, follow these steps to set your business on the course to GDPR compliance.
Note: This post is designed to be a resource educating marketers on the details of the General Data Compliance Regulation and should not be considered legal advice. To learn how GDPR affects your business, contact your legal counsel, and for the full GDPR mandates, please click here.