As marketers think ahead to 2018, one of the main issues that is top of mind is the impending European Union General Data Protection Regulation (GDPR). The goal of this governance is to strengthen individual control over personally identifiable information (PII). It was adopted in April 2016 and goes into full, enforceable effect on May 25, 2018. So, marketers, mark your calendar.
GDPR compliance is a huge, deep topic, and this is only a blog post. Below is a summary of GDPR basics that all marketers should know.
What is PII: First, it’s important to recognize that PII is defined differently in different legal settings. For example, PII in North America refers to name, address, birth date, Social Security number and financial information, such as credit card numbers or bank accounts.
However, with GDPR, PII covers a wider range of information, including social media posts, photographs, lifestyle preferences, transaction and even IP addresses.
There are several categories of PII data:
- Personal data: “any information relating to an identified or identifiable natural person (the "data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
- Sensitive personal data: “personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.”
- Data relating to criminal offences: “Data relating to criminal offences and convictions may only be processed by national authorities.”
- Pseudonymous data: “A good example of pseudonymous data is coded data sets used in clinical trials.” “The Directive does not explicitly address the issue of pseudonymous data. Pseudonymous data are treated as personal data.”
What are the Consequences: There are two potential scenarios:
€10 million or 2% of global annual turnover – whichever is greater
If non-compliance was related to technical issue, such as impact assessments, breach notifications and certifications, then the fine will be either €10 million or 2% of global annual turnover (revenue) from the prior year – whichever amount is greatest.
€20 million or 4% of global annual turnover – whichever is greater
If it is determined that the company was not compliant with one of the key GDPR tenets, the company will face a fine of €20 million or 4% of global annual turnover in the prior year - whichever amount is greatest.
Examples are “non-adherence to the processing of personal data, infringement of the rights of data subjects and the transfer of personal data to third countries or international organizations that do not ensure an adequate level of data protection.”
Yikes. This is one reason why one study found “nearly 20 percent of respondents said they fear that non-compliance could put them out of business.”
Who: GDPR applies to any company that operates in Europe, specifically companies that sell goods or services to EU residents or “monitors their behavior, for example, by tracking their buying habits.” For example, if someone from the EU signed up for your newsletter, then you are subject complying with GDPR.
In other words – if you have a website, if you send emails to customers, you are opening yourself to global customers and therefore need to think about GDPR. The previously mentioned study also found that “47 percent of organizations globally have major doubts that they will meet this impending compliance deadline.” Egads.
We’ll continue to share important, need-to-know information with our blog readers. Stay tuned!