• You must be compliant by May 25, 2018, or face fines of up to 4% of your global revenue
• It doesn’t matter if your business isn’t in the EU
• Consent is not assumed and must be given under-informed circumstances
Marketers have long tried to balance the quality vs. quantity issue for their databases. As email software and technology has evolved and allowed for better targeting, marketers have had to continuously defend their decisions to leave chunks of email addresses off of their lists.
That fight is over, though, as there is a new law that updates the regulations around customer privacy and will determine how marketers are able to build and manage their databases.
Effective May 25, 2018, a new data protection regulation in the EU, the General Data Protection Regulation (GDPR), brings the focus to the protection of personal data in the age of technology. This new law replaces how marketers were required to handle data under the 1995 EU Data Protection Directive (DPD) and shifts the responsibility and obligation of data management to businesses. Gone are the days when marketers can pre-check that “sign me up for emails” box.
GDPR regulates how companies process the personal data they have, including how they collect it, how they store it, and how they use it. The law is enforceable in all EU states, and also covers all EU individuals; regardless of the physical location of the business. GDPR has a broad definition of ‘personal data,’ meant to protect individuals, and expands to include any data that can identify an individual. The new regulations also cover how companies must handle security and data breach notifications.
Previously, companies could assume consent to contact customers and leads based on actions that individuals took; those days are gone. Companies now carry the burden of being transparent and obvious in gaining consent and must actually gain consent – silence is no longer considered consent.
GDPR reckons the ‘silence’ part of consent by stating that individuals have the right to be forgotten if they are inactive and do not clearly consent to continuing to receive communications.
GDPR also gives power back to individuals by allowing them to obtain a copy of the data that is collected about them. The power is given to the individual here, as they can request to know what data a business has collected about them and can also request that that data be deleted.
Under GDPR, companies will not be able to charge customers for obtaining this data (there are exceptions that can be made if excessive costs can be proved). Businesses will be required to respond to requests within 30 days; again, exceptions can be made, and companies can refuse requests if they can prove that the request is unfounded or excessive.
Even so, each company must have policies in place that determine why, when, and how it will refuse these requests and will also have the burden of demonstrating when requests meet the criteria in those policies.
Companies that do not comply with the new regulations may be fined up to 4% of their global revenue. While this new law might seem intimidating, it can actually help businesses get true statistics on their marketing efforts and increase both their ROI and sales. Fear not, you will survive this reckoning.
Stay tuned for part 2 of our GDPR series where we will explore how to calm the data loss panic and why this change will be good for databases.
DISCLAIMER: This website is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how Digital Style has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.