General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and companies are trying to figure how this sweeping regulation affects their businesses. Even if you haven't started planning for the changes, you're in the right place because GDPR affects all companies regardless of size if you store or process any information on European Union (EU) residents.
In this blog, we'll talk about the basics of GDPR, the six major changes taking place, and take a quiz to check understanding of the regulation. Larger companies may also need to consult legal counsel because of the complexity surrounding regulatory compliance.
What is GDPR?
GDPR is a unifying update to EU law that applies directly to the processing of all personal data. Its general purpose is to strengthen the rights of people within the EU and the European Economic Area (EEA) with regard to how their personal data is used and how it’s protected.
6 Changes Taking Place
If you would like to know more about the important regulatory events leading up to the GDPR, read How did we get here?
The key aspects of the new regulation are covered in the following six changes (outlined at a high level). If you think that any of these changes might affect your organization, then you can read the full GDPR Regulation.
Here are the six changes:
One of the largest changes under GDPR is that organizations in breach can be fined up to 4% annual global revenue or 20 million euros (whichever is greater) per incident.1
2. Extra-Territorial Scope
GDPR will apply to all processing of personal data “in the Union” (regardless of citizenship). Even when processing does not take place in the EU, the GDPR applies to organizations that have “establishments” in the EU OR offer “goods and services” to people in the EU.
The request for consent must be given in a clear, and easily accessible form. It cannot be mixed with other matters, such as buried within the “fine print” or another document in small grey font. This means you can no longer tell people they consent by clicking the submit button.
Now you will need a checkbox that clearly states their consent to collecting their information that will have to be checked before submitting the form.
4. Breach Notification
Notification of any data breach must be completed without “undue delay” and “where feasible” within 72 hours of having first become aware of the breach of personal data.
5. Data Subject Rights
- Right to Access
Individuals you have collected personal information on (Data Subjects) have the right to obtain confirmation from the person at a company who processes that personal information (Data Controller) as to what, where, and how their personal info is being used.
- Right to be Forgotten
Data subjects have the right to ask the data controller to erase their personal data.
- Data Portability
Data subjects are entitled to receive their personal data that has been collected in a “commonly used and machine-readable format” and be able to transfer that data to another data controller.
- Privacy by Design
All collectors of data are required to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.2 This is in contrast to applying data protection efforts after the fact.
6. Data Protection Officers
When the GDPR becomes effective on May 25th, organizations that collect or process EU residents’ personal data will be required to appoint a single data protection officer (DPO). This person will be responsible for overseeing data protection strategy, keeping the company in line with the GDPR requirements, and interacting with the appropriate authorities. The only credential a DPO should have is “expert knowledge of data protection law and practices” according to Article 37 under the GDPR3.
Appointing a DPO can be combined into another job description, which is recommended for smaller companies. You can also download this “Appointment of a data protection officer” template4 to use as official documentation in case you should ever need to show authorities the official appointment of the position.
Take the Quiz
You should now feel confident about the changes you will need to finalize in the coming weeks. For marketers, ensuring you've made adjustments to forms, landing pages, email databases, and other tools commonly found in marketing automation platforms is a great place to start. Here are a few additional resources that will give you more details on handling GDPR, as well information from the top three marketing automation platforms.
- GDPR Site – A resource about the main GDPR elements.
- Full GDPR Regulation – The meat and potatoes.
- GDPR and Marketo – For companies with Marketo.
- GDPR and Salesforce Pardot – For companies with Pardot.
- GDPR and HubSpot – For companies with HubSpot.
NOTE: This blog is a high-level primer on the GDPR regulations. It is not legal advice. If you think you need legal advice, get it.
Ensure you're ready for GPDR implementation. Download our GDPR checklist.