If you haven’t heard of General Data Protection Regulation (GDPR), it’s time to get acquainted.
The GDPR is an initiative set to go into effect in the European Union on May 25, 2018. It's meant to protect the online data of consumers who live in the EU but, seeing as the Internet spans the world, U.S.-based business owners may also need to prepare for it.
Here are the quick facts and background info to help you determine whether or not you need to be GDPR-compliant.
What Is It?
The 2018 GDPR is a replacement of the EU’s 1995 Data Protection Directive (DPD). Its goal: to protect the personal data of EU citizens and up the ante on organizations who collect and process that personal data (and that's anyone from social networking sites to your own marketing department).
The DPD’s goals were similar; this new update simply gets the regulation up to speed with the vast online changes that have taken place since 1995. It also reduces the amount of country-specific laws to create a more streamlined, consumer-focused regulatory system.
What Does the GDPR Give to Consumers?
The EU has always been much stronger on “transparent” information collecting standards than the United States. While the U.S. separates data protection into sectors (i.e., health, credit), the European Union considers data protection a fundamental right, which has shaped much of European thinking around the topic. That’s why, as you’ll see in this HubSpot study, consumers tend to favor the new GDPR standards: 90% of consumers surveyed agreed that the GDPR is good for consumers today.
There are a ton of new updates to this regulation. Below, I’ve included a couple that pop out in most of the GDPR headlines (and differ greatly from American standards):
The Right to Be Forgotten:
The consumer has the right to ask search engines to delete links that may harm their ability to have a productive and fair future. For example: say you get arrested for a misdemeanor back in the day but have an otherwise-spotless record. When you search your name in Google, however, the news article that covered your arrest comes up with your name as a keyword. You have the right to ask Google to remove those links as they are associated to your name. The link will remain on the original news site, but as far as searches go, your name will be “forgotten” by the Internet.
72-Hour Breach Reporting:
If a hacker gets into the credit card records of a certain store and that hacking has been detected, a company under the scope of the GDPR has three days to report the breach to national regulators or else face steep fines. In the U.S., breach reporting rules vary by industry and companies can delay reporting if it interferes with a criminal investigation.
Why Should You Care?
You’re an American company. Who cares if Europe is doing something new with their data laws?
You should care: the new regulations will affect your business. If you conduct any sort of business online, it’s time to do your homework.
Things to Keep an Eye On:
According to this Forbes article on the GDPR, there are a few things (that get increasingly more complicated) that you need to pay attention to if you’re a company with a web presence. Here are some clarifications:
1. Territorial Scope
The GDPR protects anyone physically in the EU. A lot of the confusion surrounding the GDPR has centered around whether the consumer has to be an EU citizen or not (the GDPR regulations simply use the term “data subject” to describe the individuals protected under its scope). If you collect any data from people in the EU, your best bet is to follow GDPR regulations, regardless of whether or not you’re targeting citizens. However, the GDPR does NOT protect EU citizens doing searches outside of the EU (i.e., a Swede in Minnesota).
2. Targeted Marketing and The Web
Things get a little more complicated when you’re talking about whether or not your U.S.-based website is accessed by a data subject physically in the EU. Here’s the general gist: if you’re targeting EU citizens, you must comply with the GDPR.
What does targeting EU citizens look like, you ask? Web pages that have their native language on them, reference EU customers, or provide pricing options in the native currency all fall under that umbrella. If your page simply happens to pop up in an EU citizen’s search and does not seem to specifically target them, then you’re generally in the clear.
3. Consent, Breach Reporting, and Fines
Consent for any data collection must be freely given and unambiguous. That even extends to eradicating the use of forms pre-filled with the customer’s information and making them say “I agree” to a convoluted “Terms of Agreement” document full of legalese.
Additionally, as mentioned previously, breaches in security that involve customer data MUST be reported within three days, or else your company can be fined. And those fines? They can be up to 4% of your annual revenue, or up to $20 million.
The GDPR is meant to protect consumers, but it definitely can put a wrench in some of your marketing data collection plans. If you’re a HubSpot customer, complying gets a little bit easier – the site has capabilities to make sure you won’t find yourself in GDPR hot water.
Want to know more? Talk to your account manager and see what we can do for you, or ask us what we're doing to make sure we're GDPR compliant!