Many of you know by now that the EU’s General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used. The goal is to harmonize, modernize and strengthen data privacy and processing policies across Europe. GDPR replaces Directive 95/46/EC (the ‘Data Protection Directive’) which is out of date due to evolving technology standards.
Overall, the EU wants to give people more control over how their personal data is used, bearing in mind that many companies like Facebook, Google, and many more swap access to people’s data for use of their services. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy and secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year).
GDPR requirements will be enforced starting on May 25, 2018. It requires organizations to diligently protect personal data, as well as provide proof about how that data is protected.
GDPR sets a high standard for consent, which will have a huge impact on the marketing industry. Customers will need to be given choice and control over how their data is handled. To comply, you’ll need to know how the GDPR defines personal data, where it’s located in your business, how it’s used, who can access it, and much more.
The GDPR affects ANY business, including us at Return Path, that collects, processes, stores, and uses data from people residing in the European Economic Area (EEA). It affects you whether your organization has EEA headquarters or not, or if the processing itself takes place in or outside of the EEA. This means that whether you have European headquarters, or if you are only a firm with offices or customers in Europe, you need to adopt new practices to ensure full compliance with this regulation.
Organisations like us have started by understanding what data we acquire, hold and process and the legal basis for that. Privacy needs to be designed into systems and processes and respect for data subject rights needs to be stepped up. Policies and procedures for handling any security breaches needs to be in place. At its heart, however, data protection is about the same issues – understanding what data you hold and why. Businesses need to review their data protection policies and technology to check they are compliant, and should not be shy of reaching out to their local regulatory body or to a trusted consultant for advice to ensure they get it right. Be proactive and protect the data you hold, encrypt it and always keep up to date with your security solutions. Data breaches occur every day – and the EU have just increased the consequences of inadequate privacy.
Stick around over the next few blog posts to hear more things such as how consumers intend to benefit, or how to ensure you’ve obtained proper consent, or what it means to be a controller and processor of these protected data types. Wondering what we at Return Path are doing to prepare for the General Data Protection Regulation (GDPR)? You can read more here about some of the things we are doing and are considering.