The EU General Data Protection Regulation (GDPR) goes into effect May 25, 2018, and if you do business in Europe, you need to ensure your company is compliant.
The good news is, if you are handling data appropriately, respecting your customers’ personal information, and practicing permission-based marketing, then you likely need to do very little to prepare for GDPR.
From the GDPR website: The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
Who It Affects
All companies processing the personal data of data subjects (natural persons) residing in the Union, regardless of the company’s location.
According to euGDPR.org, “‘Personal data’ is anything that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
A data subject should not be confused with a citizen. GDPR is applied to any person, regardless of citizenship, that is residing in the EU when the data is collected.
Companies must have consent given by data subjects in a intelligible and easily accessible form. Consent must be “freely given, specific, informed and unambiguous” according to euGDPR.org, to be compliant. Additionally, withdrawing consent (opting-out) should be as easy as giving consent.
Picreel Customers: Practicing permission-based marketing will keep you on the right side of the law, regardless of where your customers are located. Have a process for obtaining consent from ALL prospects (asking them to opt-in), maintain a record of the consent, and always provide a clear and easy way for people to opt-out or manage their subscription options.
Under GDPR, data subjects (your prospects and customers) in the EU, have the right to:
- Be notified of data breaches within 72 hours
- Access their personal data and obtain a free digital copy upon request
- Have their personal data forgotten (Data Erasure), such as when consent is withdrawn (opting-out)
- Electronically transmit their personal data (Data Portability)
Picreel Customers: Understand your prospects’ and customers’ rights and have processes in place for meeting each.
According to euGDPR.org, “companies must implement appropriate technical and organizational measures in order to meet the requirements of GDPR and protect the rights of data subjects.”
Picreel Customers: Have a process in place for managing opt-out requests and effectively removing people from your database. While it may not be a common occurrence for your business, it’s important to also have a process in place for handling requests to access and transmit a customer’s personal data should they ask. Ensure your systems have protective digital privacy measures implemented to prevent unauthorized access and do not participate in unethical buying or selling of personal data.
At the end of the day, all businesses have a responsibility to be good stewards of their customers’ personal data. Protecting your data, practicing permission-based marketing, and being transparent with how data is used is just good business. Data protection laws like GDPR exist to protect consumers against unscrupulous practices, and for businesses already doing the right thing, the regulations are easily met.
Disclaimer: This information contains a high-level overview of GDPR, but is not intended as legal advice. Please contact your legal advisor or attorney for specific advice about your company’s compliance with international data protection laws.