The Marketer’s Guide to EU’s General Data Protection Regulation

Person holding an index card that says "GDPR," which stands for General Data Protection Regulation

The majority of Relevance readers live and work in the US. However, the EU’s General Data Protection Regulation (GDPR) has the potential to impact any business with a website no matter its geography. There’s potential to be fined even if you don’t have customers in the EU. Businesses around the world are working on or have finished their compliance to this new regulation. It goes into effect May 25, 2018.

Two primary groups must comply with the General Data Protection Regulation:

  1. Businesses located in the EU
  2. Businesses not located in the EU, if they offer free or paid goods or services to EU residents or monitor their behavior (Ebook downloads?)

It’s designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

It seeks to apply these three updates to the existing 1995 law:

  1. A new transparency framework
  2. A new compliance journey
  3. A new punishment regime

Here’s some important information to know regarding the change and its penalties:

  • Companies have 72 hours after learning of a data breach to send a notification to your regulators
  • Fines can reach 4% of annual global revenue (or €20 million, whichever is greater)
  • Consumers now have the right to have data deleted, the right to move data (data portability), and the right to object to data processing, among others

The below is a truncated list of a person’s “data bill of rights.”

Breach Notification – companies must notify individuals if their data has potentially been accessed.

Right to Access – companies must provide individuals with electronic access to their data.

Right to be Forgotten – businesses must delete and cancel all third-party processing of an individual’s data if requested.

Data Portability – individuals can request their data in a commonly used digital format and move it to another data controller.

Privacy by Design – calls for the inclusion of data protection from the onset of the designing of systems.

My biggest concern with this new law is a potential wave of ambulance-chasing European lawyers making lists of US and other foreign companies out of compliance this year to sue. It might even cause some small online businesses to pull out of Europe entirely.

My advice to companies that do NO business in Europe and never intend to is to simply block all European IP addresses. There’s no need to be compliant with the regulation or be harassed by ambulance chasers.