There has been a lot of talk around GDPR (General Data Protection Regulation) and what it means for businesses that work with European companies or consumers. The GDPR leaves a little too much open to interpretation, so here are our guidelines and advice for meeting its requirements.
What is it?
A new EU law that governs the usage, transfer, and storage of data. The areas of highest importance deal with storing when & how communication recipients opted in, “sunsetting” them after a period of inactivity, and ensuring security when data is transferred overseas.
Why is this important?
Previous data protection legislation, such as CAN-SPAM act of 2003 and the EU Data Protection Directive of 1995, were written and implemented decades ago and are relatively toothless when it comes to protecting our data and privacy. Advances in technology have changed both what data we’re able to collect and what we’re able to do with it, which has prompted new laws like CASL and GDPR to increase protections on the data of private citizens and impose harsh penalties for infractions.
Who does it affect?
Any company dealing with EU businesses’ or residents/citizens’ data, even if the company is not based/operating in Europe. Similar to the way CASL changed the requirements to market to Canadians, GDPR affects you if you have prospects/customers who reside in the EU regardless of whether you or your company are also in the EU. It is important to note that the law does not specify that they must be a citizen/resident of the EU, only that they are “in the EU.”
When does it take effect?
GDPR officially becomes applicable on May 25th, 2018.
If you currently have prospects/customers in the EU, immediate action will be necessary to ensure that you fully comply with GDPR guidelines. Auditing where and how your data is stored, and what data is being stored, is a good first step—with an emphasis on timestamps of when they opted-in as well as their last engagement/interaction.
Considering that this is not the first law passed to increase and regulate privacy protections, we may soon see similar protections required within the USA to replace or augment existing law (especially with the rise of privacy concerns in the wake of Facebook data harvesting and Cambridge Analyitica).
So, requiring that opt-in date/time/method and last engagement date/time/method be captured is a great first step in readiness for such a change, even if GDPR will not affect you today.