The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. Find out how it affects communicators.
It turns out I’m not alone in being behind the curve. According to a Data & Marketing Association’s study of 250 respondents almost half of affected businesses will be unprepared for GDPR’s enforcement date.
So, what is GDPR? And, as a communications professional, what do we need to know to safeguard ourselves and our clients? Here are the nuts and bolts of:
- what GDPR is
- when it becomes enforceable
- who it affects
- what sanctions there are for non compliance
Table of contents
What is General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU) [Wikipedia].
What does the GDPR do?
Under the General Data Protection Regulation (GDPR), all companies will be required to gain consent from individuals before collecting their data. Users will be notified that the company wants to use their data and what they want to use it for. They will be told that they have the right to refuse parting with their personal information.
How is personal data defined?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. [EUGDPR.org]
Who are the winners of GDPR?
In terms of data protection: EU citizens. the law gives European citizens more control over what happens to their data.
Commercially the big winners will probably be Google, Facebook and Amazon according to Digiday because they have the direct relationship with their customers across numerous devices.
Independent publishers that lose ad revenue from the fallout may flock to products like Facebook’s Instant Articles. The upside to publishers for this will be avoiding paying the costs associated with gaining the right compliance. The downside is twofold: compromising on an ad revenue, and ceding control of distribution to Facebook.
Other likely winners are likely to be law firms, compliance companies and the EU parliament the latter potentially collecting a windfall in fines from companies which fail to comply.
Are there any losers?
Ad-tech companies, for sure. Also, publishers that rely on third parties to sell subscriptions will suffer. If the intermediaries can’t collect data for targeted advertising, publishers will lose out on revenue.
Publishers could shift distribution to platforms such as Facebook's Instant Articles. The downside is decreased ad revenue and loss of strategic control in their distribution.
One way for publishers to push back against Silicon Valley's stranglehold of media distribution is to band together and to create data co-ops.
Paradoxically, EU citizens may potentially suffer if media outlets go to the wall should they be unable to manage their own privacy compliance.
I don’t work in the EU - does GDPR affect me?
GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
I have email subscribers on my blog, am I affected?
Yes, according to marketing automation platform, Communigator: Under the GDPR “it is no longer enough to rely on a form fill and add the [email subscriber] to your database. Anyone can enter any email address into a form. You must now prove it was the person whose email address it was." In practice this means that website owners must ensure email address subscription capture is undertaken via a double opt-in.
What about existing personal data held?
Not only will publishers need to get permission from readers starting in 2018, but companies will need to get renewed permission from people they already have profiles on.
When does GDPR go live?
The General Data Protection Regulation (GDPR) was adopted on 27 April 2016. It becomes effective from 25 May, 2018.
How will GDPR be enforced?
With fines. Big fines. Companies that fail to comply will face eye-watering fines of up to €20 million (£17.4 million) or a maximum 4% of their global revenues - whichever is the higher.
Where can I learn more about GDPR?
- A marketer’s guide to the looming EU Global Data Protection Regulation by Digiday
- The Information Commissioner’s Office has created a useful 12-point checklist to prepare for the General Data Protection Regulation (GDPR) Preparing for the GDPR in 12 steps
- GDPR portal