The EU have just released the details of the General Data Protection Regulation or GDPR.
The good news is companies have two years to comply, the bad news is that you may well need them.
The new regulations are primarily in place to protect the public and to give them control over their personal data. It is also an attempt to simplify the regulatory process for businesses across Europe who would traditionally have had to deal with individual countries and inconsistent regulations between them.
So what does it mean for the public?
Companies all over the world hold information about individuals on varying different levels of detail. The development of the internet means that the level of detail of this information is ever increasing along with the ways in which it is being used. Whenever you make a purchase online, chat with friends or check your bank account, there is a multitude of sensitive data being used and created. What happens to this information afterwards? What rights do you have in relation to this information? But most importantly, what measures are being taken to ensure it doesn’t fall into the wrong hands?
In their own words ‘Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.’
These new rights include the right to be forgotten. People now have the right to erase any personal data being stored about them without ‘undue delay’. This includes an obligation for companies to inform any 3rd parties that a request to delete this information has been made. There is also a ‘harmonised request rights’ for data subjects now, which obliges all parties to respond within 20 days to requests from individuals about personal information being stored about them.
Perhaps the most important part of the GDPR for citizens however, is the uniformed security measures being introduced. This is in order to protect individuals from having their information fall into the wrong hands or from being abused by the right hands.
Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.
Across Europe, businesses, governments and other organisations transfer vast amounts of personal information across borders. The new regulations are an attempt to give one single view on data protection for the public while streamlining the regulatory process for businesses.
A point of note is that organisations are now obliged to keep individuals, whose personal information is stored or obtained, aware of their rights. They have the right to know that their information is being stored, to see that data if they so wish and also to correct it should there be any inaccuracies. Ultimately for businesses, it means that they will need to stay in contact with individuals on a regular basis in order to keep them on their records. No more sitting on data for extended periods of time without giving the user an opt-out route.
What does it mean for businesses?
Well the first thing to highlight is that previous EU data protection views were directives and not regulations. The GDPR is now EU Law and any local government laws are knocked down the pecking order. Some of the major talking points from the GDPR are as follows:
• Under the new law, companies can be fined a staggering 4% of total global revenue or €20m, depending on which is higher. To put that into perspective, companies in the UK ran the risk of paying out a maximum of £500k for data breaches.
• Data controllers must notify any breaches to the Data Protection Authority within 72 hours of beingnotified of a breach.
• COMPANIES TAKE NOTE! The introduction of the Data Protection Officer (DPO). All companies must now have a designated data security expert in their corporation if they are handling any sort of large scale personal data. What the definition of how large is large and how personal is personal I’m sure will be questioned several times in the coming years, but by all accounts it sounds like there will be a need for companies to either hire externally or upskill their current workforce. The market for data law and privacy just got a whole lot bigger and the profession just got a whole lot more attractive.
• On top of the DPO initiative, all employees who have access to work with any of this personal data must be fully trained to perform their role and carry it out to the highest standard. It is up to the organisations to ensure that this is met and means companies will have to consider spending considerable time and resource to meet GDPR.
• The title may say European, but this affects all global organisations. Once the data applies to an EU citizen, then the EU rules apply.
• Rules do not just apply to the owners of said data. Any individual or organisation that ‘has access to, or processes any data by which an individual can be identified’ can be held responsible for any breaches. This basically means that any third parties involved in data process are now responsible too. Companies using cloud providers will need to take note and most importantly for us, agencies are now in the firing line.
What does this mean for advertising?
We’re moving into an age where the consumer is now going to be in the driving seat when it comes to their data privacy and will be much more aware of this. That means we can expect a long term decline in the volume and legitimacy of 3rd party data and therefore a decline in the reliance on said 3rd party data within marketing. A much bigger significance is going to be placed on 1st party data and how important it will be for companies to gain it, keep it and protect it. Consumers will need to see value in allowing companies to have their 1st party data and as a result, companies are going to have to get a lot smarter and a lot more strategic about how they run their CRM activity.
Start planning now with the consumer in mind and give them a reason to stay on board. In 5 years’ time, they may be all you have.