This month, the GDPR (General Data Protection Regulation) legislation covering the entire European Union is coming into force. This is such a detailed and comprehensive package of regulations that even US companies may be subject to many of its provisions. Here’s the lowdown:
The GDPR is a sprawling piece of legislation with VERY sharp teeth for breaches. It has taken a truly holistic approach to privacy and, due to the size of the territory covered and the fact that non-EU companies can be subject to it, may be the benchmark for many other markets to follow.
Several big internet players have even opted to largely reproduce their privacy and data-storage measures for users outside of the European Economic Area (EEA) and so their requirements for advertising with them are changing too.
In a nutshell, the GDPR specifies the nature of data about any individual over which that the individual should have insight and control. It covers everything from an IP address to the telephone number and beyond.
In addition, it requires that deleting and removing consent for such data collection should be every bit as easy as opting in to collection and consenting to being tracked etc. Users must be able to withdraw consent at any point.
What is collected must be strictly relevant and easy to understand by the user.
Non-EU/EEA businesses that routinely trade with, or collect the data of, anyone within the EU must comply with the GDPR so don’t feel like you can look away if this covers your business.
The consequences of a breach can be eye-watering – potentially €20m or 4% of annual turnover, whichever is greater!
This has been coming for some time, with numerous court cases in Europe and a clear tendency of the EU to try to place large internet firms (who are effectively enormous data warehouses) on an ever-shorter leash. Microsoft and Google, for example have landed themselves multi-billion dollar fines – although not concerning privacy.
The recent Facebook travails are just a reminder of how much trust is placed in these corporations and had no bearing on this legislation, which was passed some years ago.
Standardizing privacy and data security requirements in the EU should level the playing field in a significant but otherwise varied market (dozens of languages and many brands that have not ventured outside of their home country) but may also be a sign of things to come in other major markets.
Those who support the measures say that the heightened trust that should result from them will bolster online growth with more consumers feeling comfortable trading with web-based firms.
May 25th is the deadline for compliance but non-EU companies typically have a bit longer to comply. However, Google and Facebook will start to play hardball with advertisers who aren’t doing what is required, so do ensure you’re in the know and prepared.
So good luck and here are a few more resources for your GDPR investigations: