The Global Data Protection Regulation (GDPR) is an initiative passed by the European Union in 2016. The goal of GDPR is protecting the data of European residents. However, the law didn’t go into effect until May 25th 2018. Which is probably why you’re hearing about it much more in the news now. In this post, we’re going to talk about why its important and why you should care.
So, what are they key issues? Let’s break them down into 5 key things to take away. Consent, Only Collect What You Need, Transparency, Opt-Out, and 72Hrs to Notify.
The biggest one. If you’re a publisher or if you collect data on users. Consent is king. Most of us are familiar with soft consent, which is when you buy something online, or fill out a form. You’ll notice a small box next to the submit button that may say, “by submitting this form, you agree to join our newsletter”. Now with the GDPR, that isn’t allowed. You must have hard consent or hard opt-in. Which means in that same form. You must to have individual boxes that say what you want to use that data for, and give users the option to say yes or no.
2. Only Collect What You Need
In the same situation as above, we have a form and let’s say we’re collecting first name, last name, email, phone, address etc. You need to have a reason for collecting that data. Now, if you’re a retailer, there may be a very good reason to get all of that. You need to know where to ship the product, you need a place to send the receipt, you need a phone number to change the order if need be. Those are very sensible reasons to collect that data. However, if you’re maybe, a video game for example, and you’re asking for a home address. That may not make sense cause you may not have a legitimate reason to get someone’s home address. A lot of people are collecting a lot of data now, with the idea that in the future at some point it may be of value to them. But if you can’t prove that it’s of value right now, it’ll create issues and you may be subject to fines and regulations.
If a user has given you their data, let’s say, their email, name, phone number, address and other unique identifiers, like IP address, device numbers, and tracking URLs etc. Then one day, they decide they no longer want you to have that information. They must have the ability to request it to be removed. A small example may be a unsubscribe button for an email. Pretty standard stuff in most email campaigns. If you however are running a website and you’re collecting data for advertising. You must have the ability to remove an individual users data. Recently you may have noticed more and more when you visit a website, a little pop up that comes up and says “by using our website you agree to our cookies terms of service”. Advertisers use cookie data to learn more about users and target ads more effectively. An individual users will now need the ability to go to a website and say “remove my cookie data from your website”.
5. 72Hrs to Notify About Data Breach
If a website or company gets hacked and user data is compromised. They have 72 hours to notify users that their information has been stolen. Recently, Best Buy, Delta & Sears were all compromised in a hack. More than likely because they used the same data providers 7.ai – The hack occurred in September of 2017. However the users and public were not notified until April of 2018. A full 7 months passed before users and the public were notified about the data breach. With GDPR, that’s simply unacceptable now.
Any companies that don’t meet any of those regulations to regards as they have to do with users in the European Union. Which keep in mind, if they’re a current resident of the EU but live in America, they count as an EU user. The penalties for this range from 4% of yearly revenue to $20,000,000 in fines. (we’re guessing which ever is more). These are the 5 things you should primarily be aware about when thinking about GDPR.