Most marketers know that the European Union’s Global Data Protection Regulation (GDPR) goes into effect on May 25, 2018.
However, a recent Gartner report on GDPR readiness suggests that a majority of organizations affected by the new EU privacy laws will not be fully compliant by the deadline. With the costs of non-compliance starting at €10 million, and the deadline now less than a month away, it is important that affected businesses take action now to ensure they adhere to the EU’s new set of data protection measures in time.
Who Does GDPR Apply To?
In short: any U.S. businesses that hold or process EU resident data will need to comply with GDPR guidelines by May 25. That includes data for your employees, vendors and business contacts, and of course, your customers. It’s important to note that GDPR introduces obligations for data processors in addition to data controllers. That means, for the first time, companies that leverage EU resident data on behalf of another company also need to adhere to specific regulations.
Analysts expect GDPR to impact 80 percent of U.S. businesses, so chances are good that the regulation affects your organization. However, if you do fall into the 20 percent unaffected at the moment, there are still reasons for you to care about GDPR compliance. While GDPR may be an EU-centric policy, the underlying consumer sentiment about data privacy certainly transcends the Atlantic. With massive data breaches from companies like Uber, Yahoo, and Equifax, more Americans are worried about data privacy than they are of losing their primary source of income. Adhering to GDPR policies—even if not currently required—aligns your marketing strategy with consumer demand while also keeping you in-line with your competitors data privacy standards.
What Types of Data Fall Under GDPR?
The EU’s policy outlines several specific data types that need to meet their guidelines. Primary among these is personally identifiable information (PII), which includes any data that could be used to identify an individual—think: names, contact information, and ID numbers (passport, driver’s license, etc.). GDPR also regulates “personal data,” which—while similar to PII—more broadly includes data like online identifiers (IP addresses, mobile device IDs, cookies, etc.).
What GDPR Compliance Means for U.S. Businesses
GDPR is comprised of four main components that your business needs to comply with:
- The Right to Be Forgotten
EU residents now have the right to request that your company erase their data in its entirety from your database. The law requires that your company comply with those requests and have an adequate policy in place for fielding and processing these requests in a timely fashion.
- The Right to Object Profiling
Similarly, EU residents can now object to your processing of their data. While a number of exemptions exist for companies using data for legal or research purposes, marketers should be aware that GDPR offers no exemptions for objections to data processing for direct marketing. In other words, if a customer requests you stop using their information for marketing purposes, you have no choice but to comply.
- Data Portability
GDPR requires data controllers to provide copies of customer data to the customer upon request. Customers may store that data for personal use or transmit to another data controller.
- Data Breaches
Data controllers that experience a data breach must notify EU authorities within 72 hours of the breach. GDPR requires data processors to notify the data controllers of any breaches as well.
Ready to get the ball rolling and ensure your business is GDPR compliant? Elite SEM partnered with Data Privacy Expert Jodi Daniels to outline 10 ways your business can get started on GDPR compliance today. Access our “GDPR Countdown to Compliance” webinar now.