CONTACT CONCENTREK GROUP
Ready to see what Concentrek Group can do for you? Fill out this form and we’ll be in touch soon. Can’t wait? We don’t blame you—contact us at 419.244.9000 or firstname.lastname@example.org.
KEY TAKEAWAY: Under the GDPR, there have been shifts to the data privacy policies for any company that works with European customers. Not properly adapting your website around these changes will negatively impact your company—and result in hefty fines.
If you work in the world of marketing, you may have heard the term GDPR tossed around a lot lately. As of May 2018, the European Union (EU) changed its data privacy policies to better protect consumers’ personal data. These changes not only affect companies within Europe but U.S business and consumers that work with European customers, as well.
While data privacy has always been a topic of debate, it has become even more prominent in the news, especially with 87 million people affected by Facebook’s data breach. In this day and age, with technology constantly advancing, privacy is becoming more and more important to protect.
The General Data Protection Regulations (GDPR) are essentially the rules that protect a person’s personal information and dictates how that information can be used and processed. The 28 countries throughout the European Union, as well as the European Economic Area, will be under the jurisdiction of the GDPR.
Think of it this way. It’s basically like a corporation giving the power of choice back to the individual. Now, businesses either in the EU or associating with people in the EU must adjust their privacy policies so natural persons (you, the citizen), will be able to better choose what you want companies to have access to and what you want to keep private. An official list of the rules can be found here.
The GDPR is actually not the first data protection regulation to have been set in place. It has replaced the Data Protection Directive created in 1995 by the EU as a means to expand and delve further into detail on citizen’s privacy rights.
The DPD at its core is based on seven principles:
Now, you may be thinking that already sounds pretty solid, but there were still a number of gray areas. For example, under the DPD, personal information was defined as items like your name, birthday, social security number and email address; however, it’s important to remember the DPD was written in 1995, and technology has grown substantially since then. The GDPR covers even more personal information such as IP addresses, mobile device identifiers and biometric data. The DPD also held ambiguous rules on asking for consent, which the GDPR has since explicitly defined.
The GDPR has expanded on these principles and added many details to clear up any misunderstandings between businesses and consumers in regard to consumer rights. We can break down the important updates for a better understanding of the specific changes.
The original protection coverage from the DPD was much more vague and blurred; however, according to the GDPR Portal, even if a company is not located in the EU’s jurisdiction, it still must comply with these new rules in case the individual whose data is being processed is within the EU. Vice-versa: If a company resides in the EU but collects data from outside sources, they must follow the GDPR protocol.
However, should a citizen from the EU travel to a foreign country, they are no longer under the jurisdiction of the GDPR. Businesses catering to citizens located outside of the EU are not required to adjust their privacy policies, regardless of where their customers are from. Conversely, should a foreigner travel to the EU, they are immediately protected by the GDPR. You don’t have to be a citizen of the EU to receive the same rights; as long as you are within the EU, you are protected.
In the past, companies could hide forms of consent within lengthy text of legal jargon and terms an individual may not understand. These new regulations are much stricter in stressing that clear and concise forms of consent must be presented and accepted by consumers. It is also a new regulation that consumers can take away their consent just as easily.
Have you ever made an account on a website, and you are later bombarded with offers, deals or the latest trends, yet you don’t remember agreeing to receive them? Have you ever spent a fair amount of time looking for that ‘Unsubscribe’ button that’s hidden at the bottom of the page in small font? Perhaps your location is being used when on a certain app, and you would like to turn it off but cannot find out how. The new consent guidelines through the GDPR as explained by the United Kingdom’s Information Commissioner’s Office (Yes, the U.K. must also comply with these regulations!) helps alleviate some of that stress regarding consent.
The rules regarding consent have been clearly laid out by the GDPR and are broken down into the following:
Once a business has given explicit detail of what kind of data is being collected, the consumer is then allowed to know for what purpose, who specifically is getting it and for how long it will be used. They are also granted information on their right to have their data erased, the opportunity to contact authorities should they be needed and also the knowledge of how their data is protected should it be transmitted to a third-party.
Along with the ability to access the specifics of their data collected, consumers can also request their data be deleted. This right to erasure also means that as soon as a data collector is finished with your information, they must delete it immediately or cease processing through third-parties. There are steps that must be taken to achieve this request, such as allowing individuals to retract their consent either verbally or in writing. Businesses have at most one month to comply.
It is important to note that while consumers do have access to data erasure, it is possible to have such a request declined should the information collected coincide with the freedom of speech, a legal obligation, for public interest, historical or scientific research or with regard to legal claims.
As businesses worked to update their privacy policies, they also wanted to avoid hefty fines. The GDPR details what kinds of trouble companies can get in to if they violate these data protection rules. This includes at its greatest, a global turnover of 4% or €20 million fined—whichever is greater. These reprimands will be determined along with how compliant the business is with the consumer in rectifying a breach of the rules, as well as in what manner the rules were broken. Should a data breach occur, companies have up to 72 hours to alert their consumers.
We now have a better way of gaining and keeping the trust of our consumers with the updates of the GDPR. With clearer guidelines on consent, usage and methods for obtaining data, people can finally get back to browsing, shopping and Facebook-ing—with less worry of privacy breach.
At Concentrek Group, our team can work with you on the best and most efficient ways to market your brand to consumers and ensure you properly comply with all GDPR regulations. Have a project in mind? Contact us today!