Brace yourself for the next wave of data protection rules from our European neighbors. Time is running out for marketers to begin preparations for the new data privacy regulation adopted by the European Union (EU). The EU Parliament approved the General Data Protection Regulation (GDPR) on April 14, 2016. As expected, the GDPR will have a significant impact on every company that does business into or out of the EU.

The GDPR enforcement date is May 25, 2018.

The new privacy regulation will affect how businesses process the personal data of consumers living in the EU. On the upside, the privacy provisions are consistent across all 28 EU member states, which means businesses have only one standard to meet when marketing within the EU. Having one regulatory standard will be a benefit to marketers who will no longer need to parse through stacks of varied rules before marketing into individual countries.

However, the downside is that the EU has set a high standard that will require most businesses to make a large investment to meet and administrate. Businesses unwilling to make the investment may need to consider pulling out of that market or face extremely high fines.

If your business handles personal data and plans to conduct business in the EU, you should first review your current data privacy practices in order to evaluate risk. With implementation of the GDPR less than a year away, businesses must begin to change internal policies now in order to be ready to comply by May 25, 2018.

What is the GDPR?

The GDPR replaces the outdated 1995 Data Protection Directive. In addressing the complex new frontier of the digital world, it provides a unified solution for protecting the personal data of EU consumers. The regulation encompasses all EU member states and citizens.

Global enterprises with operations or customers in the EU must comply or face heavy fines. A breach of the GDPR could put your company on the hook for penalties up to 4% of your annual global revenue, or 20 million Euros (whichever is greater).

GDPR fines are up to 4% of your global annual revenue.

The GDPR affects almost all organizational departments that handle data by forcing them to change how they process, store, and protect consumers’ personal data. From legal to human resources to marketing, all departments must be prepared to comply. In general, individuals must be notified of how long their data will be stored, if it will be moved, and allow consumers to access and delete their data under specific conditions. Compliance will require changes in privacy notices, consent notifications, breach notifications and more.  

How does the GDPR Impact Consumer “Consent”?

The GDPR tightens the rules for obtaining consent. It specifies that consent must be “unambiguous”. An affirmative response is required from consumers as an indication that they agree to permit your business to process their personal data. Silence, inactivity or pre-checked boxes will not be acceptable responses for expressing consent.

A consumer’s “explicit” consent is required when dealing with sensitive data and other processing activities such as automated decision-making. Though, “explicit” consent is not defined in the GDPR it will likely require the consumer’s documented clear statement (oral or written) of their approval.

According to the GDPR, personal data that is stored by a business can be retained “no longer than is necessary for the purposes for which the personal data are processed.” There also must be a process in place that allows consumers to withdraw consent as easily as it was given.

How does the GDPR Impact Outsourcing?

The GDPR requires businesses to be transparent and accountable for their handling of personal data by maintaining records of data processing activities. Businesses who employ third-party service providers to process personal data on their behalf (i.e. assisting with marketing campaigns) may be familiar with the current requirement for data processing agreements.

The GDPR requires the primary business owner to contractually bind their third-party service providers to their policies and procedures for ensuring data privacy. Business agreements will include specific requirements that place legal obligations on the third-party which include security measures, record keeping and data storage.

Closing Thoughts

The stringent rules of the GDPR increases the likelihood of marketers to make inadvertent mistakes which will likely make it easier for consumers and serial litigators to claim damages. It also, offers significant financial incentives for companies to live up to their GDPR obligations or else lose business to competitors and pay heavy fines.

Also, be aware that performing impact assessments is another requirement of the GDPR. The intent of the process is to help mitigate the risk of data breaches by identifying vulnerabilities and how to address them. But it does present another challenging requirement that businesses must report data breaches to supervisory authorities and consumers affected by a breach within 72 hours of when the breach was detected. Failure to do so will result in heavy fines.

If you are planning on doing business in the EU, you will want to read the business requirements before you begin a marketing campaign. Review the GDPR Key Changes which provides a summary of the new regulation or the complete EU Regulation for the detailed requirements.

Any company that conducts business in the European Union needs to be up to speed with the GDPR or risk financial penalties and the loss of business. Of course, a future concern for marketers in the United States is that if the GDPR is successful will Congress pursue a similar regulation?