Which changes will come with the EU GDPR?
The General Data Protection Regulation is a legal framework that applies to the European Union. Up until now, each EU member state has observed the data protection regulation from 1995, together with their own individual national regulations. The GDPR will replace these, serving as a central law that applies throughout the European Union. The GDPR consists of 99 articles in total.
When does the GDPR come into effect?
The GDPR was published in May 2016, but businesses have until 25th May 2018 to make sure they are compliant. As of this date, the GDPR will be applicable immediately. The GDPR supersedes all existing data protection acts, so compliance is absolutely essential.
The aim of the GDPR is to harmonize and simplify the legal framework within the European Union. This benefits both consumers and businesses. Under the GDPR, consumers – or “data subjects” – will have more rights regarding their personal data and how it is used. At the same time, companies that operate internationally will benefit from a uniform legal framework throughout the EU, rather than having to know and observe the individual guidelines of each member state.
To whom does the GDPR apply?
Essentially, the GDPR applies if the data subject (person whose data it is) is based within the EU. It therefore affects:
- Companies and organizations who are collecting data from EU residents (even if the company itself is based outside of the EU)
- Companies and organizations processing data belonging to EU residents (even if the company itself is based outside of the EU).
So, if you collect, save, transmit or process data belonging to anyone based within the EU, the rules of the GDPR apply. The GDPR may therefore be applicable to both Cloud and non-Cloud providers.
The GDPR in a nutshell: What’s changed?
- Greater scope: The GDPR will apply to all companies handling data belonging to EU residents – regardless of where the company itself is located.
- Clearer guidelines regarding consent: Consent must be explicit – the user must “opt in” – and companies obtaining consent must make it absolutely clear as to what the user is consenting to. Organizations must also make it easy for the user to withdraw their consent at any time.
- Stricter regulations in the event of a breach: In the event of a data breach that may put individual rights and freedoms at risk, the relevant authority must be informed within 72 hours. In certain situations, it may also be mandatory to notify the individuals concerned.
- The right to be forgotten: Under certain conditions, data subjects may request that their personal data be erased. The data subject also has the right to obtain a copy of their data (free of charge).
- Penalties and sanctions: The GDPR seeks to ensure greater accountability, and therefore brings with it stricter penalties for non-compliance. Repercussions may range from a written warning to a fine of up to 20 million euros, or 4% of the company’s annual worldwide turnover from the preceding financial year – whichever is greater.
What does the GDPR mean for email marketing?
Under the new GDPR framework, email marketers must be especially diligent when it comes to consent. The user must actively opt in, and you must be able to prove that they have done so. Pre-checked opt-in boxes are no longer allowed.
Even if you collected your email addresses prior to May 2018, you may not be able to legally use them once the GDPR comes into force. If you are not 100% sure on the opt-in status of your contacts – or are unable to provide proof of consent – you may need to run a re-opt-in campaign.
There will also be new rules regarding profiling, which is especially relevant to marketing automation. The GDPR stipulates that the user must be notified of any automatic decisions based on personal data (for example, in your confidentiality agreement) and that the user is able to opt out of such profiling if they so wish.
More information you also find in our whitepaper.