<img alt="" src="https://secure.yirr5frog.com/148116.png" style="display:none;">

The Marsden Marketing Blog

Subscribe to Our Blog

Subscribe Here!

    Will GDPR affect my company? Take this quiz to be sure.

    Written by David Doughty on April 18, 2018

    General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and companies are trying to figure how this sweeping regulation affects their businesses. Even if you haven't started planning for the changes, you're in the right place because GDPR affects all companies regardless of size if you store or process any information on European Union (EU) residents.

    In this blog, we'll talk about the basics of GDPR, the six major changes taking place, and take a quiz to check understanding of the regulation. Larger companies may also need to consult legal counsel because of the complexity surrounding regulatory compliance.

    What is GDPR?

    GDPR is a unifying update to EU law that applies directly to the processing of all personal data. Its general purpose is to strengthen the rights of people within the EU and the European Economic Area (EEA) with regard to how their personal data is used and how it’s protected. 

    6 Changes Taking Place

    If you would like to know more about the important regulatory events leading up to the GDPR, read How did we get here?

    The key aspects of the new regulation are covered in the following six changes (outlined at a high level). If you think that any of these changes might affect your organization, then you can read the full GDPR Regulation.

    Here are the six changes:

    1. Penalties

    One of the largest changes under GDPR is that organizations in breach can be fined up to 4% annual global revenue or 20 million euros (whichever is greater) per incident.1

    2. Extra-Territorial Scope

    GDPR will apply to all processing of personal data “in the Union” (regardless of citizenship). Even when processing does not take place in the EU, the GDPR applies to organizations that have “establishments” in the EU OR offer “goods and services” to people in the EU.


    3. Consent

    The request for consent must be given in a clear, and easily accessible form. It cannot be mixed with other matters, such as buried within the “fine print” or another document in small grey font. This means you can no longer tell people they consent by clicking the submit button.

    Now you will need a checkbox that clearly states their consent to collecting their information that will have to be checked before submitting the form.

    4. Breach Notification

    Notification of any data breach must be completed without “undue delay” and “where feasible” within 72 hours of having first become aware of the breach of personal data.


    5. Data Subject Rights

    • Right to Access
      Individuals you have collected personal information on (Data Subjects) have the right to obtain confirmation from the person at a company who processes that personal information (Data Controller) as to what, where, and how their personal info is being used.

    • Right to be Forgotten
      Data subjects have the right to ask the data controller to erase their personal data.
    • Data Portability
      Data subjects are entitled to receive their personal data that has been collected in a “commonly used and machine-readable format” and be able to transfer that data to another data controller.

    • Privacy by Design
      All collectors of data are required to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.2 This is in contrast to applying data protection efforts after the fact. 

    6. Data Protection Officers

    When the GDPR becomes effective on May 25th, organizations that collect or process EU residents’ personal data will be required to appoint a single data protection officer (DPO). This person will be responsible for overseeing data protection strategy, keeping the company in line with the GDPR requirements, and interacting with the appropriate authorities. The only credential a DPO should have is “expert knowledge of data protection law and practices” according to Article 37 under the GDPR3.

    Appointing a DPO can be combined into another job description, which is recommended for smaller companies. You can also download this “Appointment of a data protection officer” template4 to use as official documentation in case you should ever need to show authorities the official appointment of the position. 

    Take the Quiz




    Conclusion

    You should now feel confident about the changes you will need to finalize in the coming weeks. For marketers, ensuring you've made adjustments to forms, landing pages, email databases, and other tools commonly found in marketing automation platforms is a great place to start. Here are a few additional resources that will give you more details on handling GDPR, as well information from the top three marketing automation platforms.

    NOTE: This blog is a high-level primer on the GDPR regulations.  It is not legal advice.  If you think you need legal advice, get it.  

     Ensure you're ready for GPDR implementation. Download our GDPR checklist. 

    Get Your Checklist


    Sources:

    1 EU GDPR Portal Frequently Asked Questions

    2 Privacy, Security and Information Law By Sabba Mahmood (née Mirza) and Leonie Power

    3 Article 37, “Designation of the data protection officer”

    4 Active Mind AG – DPO Appointment Template

    Topics: Digital Marketing

    From Twitter

    What it Takes to Integrate Demand Generation into Your Marketing Campaigns

    Watch the Video
    Marketing Agency in Atlanta, GA

    Want More? We're always here!

    Subscribe for notifications

    OR

    Talk to us