GDPR Is Going Into Effect, Whether it Affects You or Not
G-D-P-R. These four letters form the abbreviated title of what is being called one of the most important changes in data privacy regulation in nearly two decades. The General Data Protection Regulation goes into effect on May 25th. This new European Union (EU) legislation is designed to give EU residents more control over their personal data. It requires companies to be transparent on how personal information is stored and processed and places the burden of proof on them to show compliance when challenged. As one of our team members says, these guidelines and regulations “have some teeth behind them.” High penalties include €20 million in fines (equal to approximately $24.5 million), or four percent of a company’s global annual revenue (whichever is higher).
In general, GDPR applies to any organization operating within the EU and any organizations outside of the EU who offer goods or services to customers and businesses there. More specifically, this new regulation applies to companies in the EU processing any personal data and companies outside of the EU that are processing personal data of the individuals in the EU, including customers, prospects, employees or website visitors (if personal data is being tracked by cookies or other means).
Types of personal data at stake are broken down into name, address, and phone number; IP addresses and cookies; racial identity; religion and religious affiliation; health and genetic data; biometric data and sexual orientation and gender preference.
While many U.S.- based health insurers or local and regional hospital systems may not be directly affected by GDPR, the potential email and digital marketing implications for other healthcare organizations could be great as privacy policies, email opt-ins and verifications, data storage and breach notifications among other things will all be affected by the new GDPR guidelines. Most businesses or organizations that fall directly under the GDPR umbrella should (hopefully) already have measures in place. Examples specific to the healthcare industry include academic and research institutions with prospective or current patients from the EU who come to American medical centers for treatment or surgery, or prospective or current students who wish to carry out medical education and training or employment in the U.S. If you are unsure if it affects your healthcare organization, it is always best to seek legal counsel on regulations of this magnitude.
If you are an organization not directly affected by GDPR, you still need to embrace this change because GDPR turns the idea of personal data as an asset on its head. “GDPR is not the end. It is the beginning of the era in which we start to value personal data,” is a quote from Michelle Dennedy, chief privacy officer at Cisco. We know that people are demanding greater accountability for their personal data. This comes on the heels of the Facebook-Cambridge Analytica scandal and a growing number of major data breaches. It is unknown whether or not the U.S. will adopt a policy similar to GDPR in the near or distant future, but the momentum is definitely building toward revised privacy policies and consumer data protection.
Also, given the new demands for greater accountability, taking proactive steps now to collect and protect personal data more carefully could be a great boost to your organization’s marketing as it can improve your reputation with your customers and create greater customer loyalty. While the quantity of data may be smaller, the quality may be greater leading to more effective marketing.
For more information on GDPR, including who is affected by the regulations, an overview of the new requirements, as well as visual examples of GDPR compliant privacy policies and email opt-ins, see Media Logic’s downloadable GDPR Guide. You’ll also find important updates for all marketers on changes in Google Analytics data retention and WordPress admin functions that will be affected by GDPR.
