What the heck is GDPR and how will it affect me?

I’m sure you’re aware of the 2017 Equifax data breach that impacted approximately 143 million Americans who “may” have had their personal data compromised. There are high profile data breaches that we know about and then there are those that are happening all the time that we don’t know about. Strangely, the need for stricter privacy laws has not yet come to a head here in the U.S.

At the same time, privacy concerns are top of mind, especially if your company conducts business or communicates with Europe. Most consumers welcome tighter regulations when it comes to data privacy, and laws are changing … but what’s really happening?

Well, this. In Europe. New privacy legislation is going into effect on May 25th of this year. It’s called General Data Protection Regulation legislation (GDPR) and it’s intended to reshape the way companies use data and behavioral information for residents of European Union (EU) countries.

The law is actually location based, so if you are a U.S. citizen vacationing in the EU, it also applies to you. On the other hand, if an EU citizen is attending a trade show in Chicago for instance, GDPR also will not apply to that person while they are visiting. Much of the regulation focus is to secure the privacy of electronic data and communications happening via the internet. Web based tracking, for instance would need to have your consent, and browsers will need to stop those intrusive cookies as a default.

Setting a New Data Standard

GDPR will require businesses to protect the personal data and privacy of EU citizens for transactions that occur within the EU. In general, Europe has always had more stringent rules for its citizens regarding personal data. This legislation will most certainly set a new standard for consumer rights by challenging many companies to get rid of antiquated systems and create new processes to achieve compliance with the legislation. The new law also dictates how to report data breaches and how to safely transfer data across borders.

From a marketing perspective, marketers will need to rely heavily on consent and legitimate interest. Gone will be the days of using fine print, or checking one blanket opt-in box giving a company permission for broad data collection. Any terms and conditions will need to be very clear as data records of consent will be auditable.

Why should we care in the U.S.?

You may think this only applies to the tech titans here in the U.S., but that is not the case. Some industries needing to adjust their marketing practices now are:

  • U.S. based hospitality and travel services
  • Software services
  • Ecommerce companies

1)    If your company deals with any EU citizens, you are probably already in the process of upgrading your systems to abide by the new regulations or you could face heavy fines. Believe it or not, over half of U.S. global companies say GDPR is their top data protection priority, according to a survey from PwC.

It’s imperative that U.S. companies understand what personal information they collect and use from EU citizens. This isn’t just for B2C marketers, it also applies to overseas employees, as well as B2B marketers.

2)    GDPR will most likely set the stage for how personal data is treated and protected in other countries. Currently, American regulatory framework does not provide much structure. The sensible route would be to adopt legislation already in place overseas, one in which many U.S. companies have begun working towards.

3)    From what I’ve read, most privacy professionals welcome GDPR, seeing it as the perfect opportunity to implement a policy based on a common set of standards and requirements. I mean, who wants to have multiple sets of standards for various domains? Locking into one standard is simpler and more efficient.

4)    Not to mention, we are on the heels of another U.S. election cycle. Hello, Facebook data breach? This could provide a huge opportunity for lawmakers to spring into action making personal data regulation a priority in their campaigns, and set them apart from competitors. During a time when cybercrime is becoming more rampant, it is the perfect time to put the GDPR wheels in motion.

The U.S. tends to create privacy laws when the need arises. Lawmakers follow a categorical approach instead of a holistic one, in which our regulations are often based on where the information fails. For instance, health information is regulated under the HIPPA act which secures our PHI (Personal Health Information).

One thing I can definitively say is that we are experts at protecting your data. We’ve worked hard to achieve our multiple data privacy certifications; we will secure your company’s PHI. I am also interested to see how GDPR could address cybercrime if we all get onboard. It’s time for everyone’s information to be held to the same standard as our PHI.

Image courtesy of hospitalitynet.org.