The terms 'fake news' and 'artificial intelligence' have helped inspire the commonly held view that we are fast approaching an Orwellian-type society. As a reaction, the topic of data privacy has been thrown into media spotlight. Regulators have addressed public concern and advancements in technology by reviewing and amending current legislation and directives. In May 2018, we saw the most important change in data privacy regulation in 20 years.
The EU General Data Protection Regulation (GDPR) was “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” Below is a quick guide to what this new regulation means for business.
Who does GDPR affect?
The GDPR affects any businesses that control or process the data of European Union citizens. That means if you market products or services to people in the EU or monitor the behavior of people in the EU, you are required to be compliant. The rules apply to both controllers and processors of data, meaning ‘clouds’ are not exempt from GDPR enforcement.
Why has GDPR been put into effect?
The previous EU directives for data protection regulation were formed in 1995. Information technology has changed considerably since then, making an update necessary to adequately protect EU citizens.
What was the deadline for GDPR compliance?
All businesses needed to be GDPR compliant by 25 May 2018.
What has changed?
Some of the main changes are:
- Consent to collect personal data must be clearer and given through an easy to access form. Companies will no longer be able to use long illegible terms and conditions. It must be as easy to withdraw consent as it is to give it. “Personal data” includes but is not limited to their name, phone number, email address, reservation number, or IP address.
- New individual rights. Individuals have a “right to be forgotten” that requires controllers to alert downstream recipients of deletion requests and a “right to data portability” that allows individuals to receive a copy of their data.
- Extended jurisdiction. Previously the directives would only have applied to businesses within a specific geographical location. With these changes, GDPR is a regulation that applies to any business around the world.
- Penalties for breaches are stronger (see below).
How is social media affected?
Individual consent and data use is covered by the terms and conditions and privacy notices of each social media tool. This means that everyone using Facebook, Twitter, Instagram and other platforms agree to the terms of the platforms. The social platforms need to have an accountable EU representative that can be held to account for the GDPR compliance.
What happens if my business doesn’t comply?
The maximum fine is up to 4% of annual global turnover or €20 Million (whichever is greater).
Examples of what you’re NOT allowed to do
- Using a customer’s email address to send them undeclared marketing emails
- Keeping customer data that is not required for business processes
- Selling personal information to a third party
- Adding identifiable public data on your customers and adding it to a CRM without consent.
What is Local Measure doing?
Local Measure’s products that collect contact details directly from customers now include a collection notice with an explanation on what is being collected and why it is being collected in plain English. The notice also gives customers the relevant Data Protection Officer contact details and outlines how a customer can get in contact with us and our client.
Disclaimer: This blog post does not constitute legal advice for complying with EU data privacy laws like the GDPR. It’s meant to be used for informational purposes only. We strongly suggest you review out https://www.eugdpr.org and seek legal advice for your business circumstances.