GDPR and You
It’s a European law. Does it affect me?
We are a global society these days. You may not have a global business but you are likely going to see some of the effects like the ones mentioned above. Companies are sending emails and announcing new privacy policies before this week’s deadline to be compliant. You likely won’t read these policies but simply put, they outline what data the company is collecting, how they use and how long they hold it.
Companies who do business with countries in the EU must make sure any data they collect is compliant. So, if you are a public relations firm that distributes press releases or collects data from overseas (i.e. newsletter/blog subscriptions, downloads of eBooks/whitepapers, contact us forms, Google Analytics, etc.) you need to make sure you are in compliance. That goes for any marketer no matter how small.
So, if your website is not blocking people from the EU and you have forms where you capture information like emails, names, etc., then yes GDPR may affect you.
It’s all about data
Companies collect data from users when they visit their sites. It’s almost impossible to know what is stored and kept and what is not. An article in Sunday’s New York Times gave a glimpse as to how much sites like Amazon, Facebook, Twitter and others may know about you because of data. A person from the U.K. and a person from the U.S. asked marketers for data they may have had about them. The U.K. person discovered companies had a ton of data on him as opposed to the person in the U.S.
Often this data is used just to market to consumers. Sometimes those marketing efforts are very “spammy” and annoying. The problem is sometimes the data gets into the hands of cybercriminals that use the data to hack into bank accounts and other financial information. For example, a social media site gets breached and criminals get the data of 1 million users. You could blame the social media site for not securing the data properly and making it easy to be hacked.
By the way, companies will not be banned from collecting data. They must show that they have a “lawful basis.” It’s not as strict as it sounds. If companies get your consent or if they have a “contract” to do so, they can still collect the data and store it. But they are not allowed to hold it for as long as they want anymore. Of course, hospitals and law enforcement will have access to data and can store it.
Is this all necessary?
The EU thought so and the reasons behind GDPR are many. First, rules have been in place since 1995 and the rules needed to be updated. Second, there were several data collection laws that needed to be streamlined into one place.
Perhaps the most publicized rule is because of cyberattacks and data leaks. More than 145 million U.S. consumers were stunned to learn in the fall of 2017 that credit-reporting company Equifax had a major security breach earlier in the year. Social Security numbers, addresses, driver’s license numbers and other information was leaked. The EU hopes GDPR will better protect consumers against these types of breaches. And let’s not forget the recent Facebook – Cambridge Analytica data scandal.
What happens after May 25?
These are good questions. The law will require businesses to report any data breaches within 72 hours of its discovery. And they may have to show authorities that they are handling that data correctly. This is costly and companies have collectively spent billions getting ready.
As for enforcement, the EU is comprised of 28 countries and they may all enforce it differently. The fines for companies who violate GDPR can be up to 4% of global sales each year. Smaller companies will be capped with fines of $23.5 million but that’s still a lot of money.
Still have questions?
We will be following up on this issue later this week. If you have any questions to ask, let us know.