What All Companies Need to Know About the New EU Privacy Regulation (GDPR)
The new European General Data Protection Regulation takes effect on May 25th, 2018 and companies worldwide need to take note of changes in the handling of personal data.
Though the GDPR regulates the collection and processing of personal information from EU citizens, it will affect anyone that collects data of EU citizens and will affect businesses and digital tools around the world. This means that companies in the U.S and around the world need to be aware of, and prepare for, the big changes ahead.
This new regulation will become one of the strictest data privacy laws in the world. While everyone gets ready for the changes, we have the answers to the most pressing questions thanks to the experts at our sister company: Amazee Metrics.
What is considered personal data?
The information that GDPR classifies as personal includes direct personal data like: names, ID and Social Security numbers, biometric data such as fingerprints, email or physical addresses, phone numbers, birthdays and online identifiers or logins.
It also includes measures for the protection of indirect personal data such as IP addresses, economic data like account numbers, and cultural and social data. It also includes any physical, genetic or mental data if it can be linked to the individual providing it. Geolocation data and poorly-anonymized data can be a violation of the new restrictions as well. A full list of what information falls under the new regulation can be found here.
Who does this affect?
The GDPR gives control of personal data to data-subjects: a natural person or individual. Specifically, this refers to any European citizen.
One of the biggest changes outlined by the GDPR is that both a Data Processor and a Data Controller are held accountable for personal information and can be legally prosecuted. Data Collectors are anyone that determines the purpose of collecting and processing personal data, while Data Processors are any individual, system, or tool that processes personal information.
The new regulation not only defines these roles , it outlines the specific obligations of each role as well. Most of these revolve around the protection of data, and the communication of data collection practices. Make sure you are familiar with the new obligations, and ready for the changes before May.
What are the rights of the individual?
The GDPR also defines the specific rights of a Data Subject (any European citizen) to their own personal information. This includes being provided with transparent information and communication, and the right to request access or delete that information.
The GDPR also specifies that personal data cannot be processed automatically without consent if this has legal consequences (for example, when taking out insurance or applying for a credit card). Read a comprehensive list of rights and obligations over on the Amazee Metrics blog.
What is the Cookie Law or the E-Privacy Directive?
Because of this, sites can obtain implied consent for the processing of data. This has been common practice for years, especially for the “cookie banners” on numerous websites. The GDPR does not replace the existing e-privacy directive. The E-Privacy Directive will be updated soon and the name chanced The E-Privacy Regulation. But marketing cookies used for retargeting will fall under the new regulations coming in May, and this means big changes.
What about digital marketing?
Under GDPR the definitions of personal information include IP-Addresses and identifiers in cookies. This means that without consent, a user can no longer be shown retargeting ads. Furthermore, the new regulations prohibit the exchange of client-IDs or profiles between parties in an ad-network without user consent.
According to many experts, vast majority of online users will now only be able to be reached anonymously or through targeted placements. This will change the very fabric of digital marketing not only for companies in the EU, but anyone who does business with EU citizens.
Are you ready?
The GDPR goes into effect on May 25, 2018 and the E-privacy directives are currently under review, with an update expected in 2018. Want to make sure you're ready for GDPR and future directives? There’s an Amazee for that. Get the information and assistance you need from our sister company, Amazee Metrics.