If you’re in the digital marketing or analytics industry, you have probably been inundated by communication from vendors and partners regarding the General Data Protection Regulation, often referred to as (GDPR). Below, we’ve highlighted what GDPR is, why you should care, what impact it will have on your business, and what actions you need to take.
What is GDPR?
GDPR standardizes data protection law across all European Union (EU) countries and imposes strict rules on how personally identifiable information can be collected, stored, and used. The law goes into effect on May 25th, 2018, and all organizations working with the data of EU citizens must comply or face heavy fines. GDPR applies to every business that collects data from customers in the EU, regardless of the company size, location, or intentions.
Why should you care?
GDPR applies to all organizations that handle the personal data of EU residence. Many companies located outside the EU are unaware that the new EU data regulation applies to them. If an organization offers any products, services, or information to EU residents, it must meet all GDPR compliance requirements. Gartner predicted that up to 50% of American firms will not be compliant. Those organizations that do comply with the required transparency should help to build brand trust and equity among consumers.
How GDPR impacts your business?
Fines for noncompliance can be significant. A maximum fine of 4% of global revenues can be applied to companies that fail to gain user consent or violate core data security expectations. Lesser fines of 1-2% of revenues can be applied in situations where a company keeps incomplete records or implements insufficient data controls. GDPR requires organizations to appoint a Data Processing Officer (DPO) for EU government entities or public bodies or a company that either processes or monitors data subjects or sensitive information for citizens of the EU on a large scale.
What actions should your business take?
Below are a few steps that can help guide you for GDPR compliance:
- Create Procedures for Breach Notifications
- Determine if you’re a controller or a processor. The regulation breaks out responsibility for protecting data into two roles: controllers and processors.
- Audit your data and know which technologies are being used on your website
- Take the time to understand what data your business is collecting and why.
- Review what consent and disclosure look like for your customers. Get the consumer’s blessing on data collection.
- Evaluate exactly what third-party processors are collecting, where that data is going and how it’s being used.
- Keep a document on data processing and create a process to refresh the documentation periodically
- If a breach occurs, take action to inform regulators within 72 hours and be
ready to inform consumers as quickly as possible.
GDPR Impact on the United States
In our opinion, it’s a matter of time before the US government takes action on data collection. With Facebook data privacy being a “hot button” issue currently, antitrust questioning, data collection, and consumer privacy are on the radar of the US government and citizens who watched the Congressional hearings. You would think that the US government is closely watching and measuring the impact of the GDPR to see if it’s worth considering within the US.