What is GDPR and how will it affect my business?

GDPR, an acronym for General Data Protection Regulation, is a new set of rules in the European Union governing how personal data can be stored and used. It’s an update to the European Union’s 1995 Data Protection Directive, which served as the framework for this new version of the law.

Starting on May 25, 2018, all EU member-states — along with any companies that operate in the EU, or have EU users — will be required to enforce GDPR’s provisions. If you’re a marketing or technology company that works in Europe or serves EU users, it’s critical to ensure that you’re fully compliant with GDPR ahead of the May 25th deadline.

Violations of GDPR can result in a fine of up to 4 percent of annual global revenue or EUR €20 million, whichever is greater.

From a big-picture perspective, GDPR is intended to give EU citizens more control over their personal data, and to bring the EU under a unified and simplified regulatory scheme in order to better encourage innovation and growth. The GDPR covers two broad topics: The right of the user to be notified when their data is being collected (‘User Consent’), and the right of the user to view or delete that collected data, if requested (‘User Privacy’).

Let’s review the ins-and-outs of how GDPR will change the tech and marketing industry, and explore what it all means for your business.

User consent under GDPR

The user consent provisions outlined on the GDPR website are fairly straightforward: “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.”

This means it’s no longer possible to meet the legal requirements for data-collection by putting a sentence or two in the middle of a convoluted End User License Agreement. If you’re going to be collecting and storing user data as part of your services, you must inform the user in a plain and direct manner.

Additionally, if customers do not wish to consent to the collection of their data, they must be given a clearly labeled option through which they can opt out. In cases where the collection of personal data is integral to the functioning of the service, opting out will mean the user cannot install or use the service.

“Companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent,” the GDPR website states. “It must be as easy to withdraw consent as it is to give it. “

User privacy under GDPR

GDPR’s rules around user privacy are more complicated than those around user consent but just as important.

Generally speaking, these privacy provisions cover the right of users to view any of their personal data that has been collected (Right to Access), the right to download and view that data on their own devices (Data Portability), and the right to have that data deleted upon request (Right to be Forgotten):

1) Right to access: Under the expanded consumer rights put in place by GDPR, EU citizens have the right to request information from any organization about whether their personal data is being collected, how it’s being collected, and why it’s being collected.

2) Data portability: Under GDPR’s data portability provisions, EU citizens have the right to request a downloadable copy of their personal data from any organization that collects it.

This hard copy of the user’s data must be provided free of charge and must be saved in a “commonly used and machine-readable format,” according to the GDPR website. Additionally, the user has unlimited rights to share that data with another organization or entity.

3) Right to be forgotten: Also known as the ‘Data Erasure’ provision, the Right to be Forgotten entitles users to request that an organization erase his or her personal data, stop any further dissemination of their personal data, and have third parties halt the processing of their personal data.

Organizations are also required to delete users’ personal data if it is no longer relevant to the original purpose behind its collection — personal data can no longer be stored indefinitely for later use. This specific provision must be followed even if the user has not withdrawn consent or requested that their personal data be deleted.

For a more in-depth explanation of these new rules around User Consent and User Privacy, the GDPR website has a full writeup.