What is GDPR?
In April 2016, the European Union adopted the General Data Protection Regulation, which took effect on May 25, 2018 and replaced the current EU Data Protection Directive. The goal of GDPR is to provide new regulations around data, privacy, and user consent when it comes to collecting and processing personal data from consumers. This includes the use of data in targeting consumers for marketing campaigns and gathering information based on their user behavior.
The regulation will affect organizations in the EU, as well as those located elsewhere with operations in the EU or any that have EU citizens as customers. U.S. companies that conduct business in the EU or market to EU citizens will need to be compliant, which is why you might see some of the global brands you work with confirming your consent, even though they are not legally obliged to do so in the U.S.
GDPR Compliance Requirements
For companies that don’t comply, there will be severe financial penalties of up to €20 million.
To be compliant, companies must do the following:
1. They need to have a legal reason for collecting data, and should document it in writing.
2. They need to obtain explicit consent from individuals for their data to be used for specific purposes and for specific periods of time.
3. Individuals have the right to request details about the information that is collected, including how data is used, if third parties have access, and change of consent, and they may also ask that their data be deleted. Businesses need to be set up to respond and comply quickly.
4. Personal data can only be transferred outside of the EU to recipients in countries that are considered to have ‘adequate protection’, which is determined by The GDPR Commission. Right now, this is only a handful of countries including Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the U.S.
GDPR Compliance Plan and New Jobs being Created
Three new jobs will be formally created out of GDPR, to ensure companies are compliant. Companies will need to report who these people are to The GDPR Commission to ensure open communication and transparency.
• Data Controllers are people who own the customer relationships and who are ultimately responsible for the use and security of the data. They need to take appropriate measures when it comes to encryption, ongoing confidentiality of data, and evaluating the effectiveness of the measures in place.
• Data Processors are people who handle the data on the controller’s behalf, obtaining, recording, and subsequently using the data within the terms the controller has set forth.
• Data Protection Officers are appointed for companies that carry out data processing for a public authority or carry out activities that include regular and systematic processing of large-scale, sensitive data. This person is ultimately responsible for the data protection issues related to your business, should they arise.
MNI’s POV on GDPR Impact on U.S. Business
As of right now, GDPR does not affect U.S. companies conducting business and marketing to U.S. audiences.
Of course, that doesn’t mean that something similar won’t come to the U.S. in the next 24 months. There’s a buzz in the industry right now regarding data security and regulation, which is only made stronger by the passing of GDPR and the Zuckerberg Senate hearings, as a result of the Cambridge Analytica breach.
That being said, there are several studies in the U.S. suggesting that technologies and data that allow consumers to receive advertisements tailored specifically to their interests are considered valuable and expected, so it’s very possible U.S. lawmakers will feel less compelled to address behavioral targeting as it relates to advertising.
GDPR is a hot issue that will continue to evolve. Look to MNI for any new information about GDPR, and how it will affect your business.