What the heck is GDPR?
GDPR stands for General Data Protection Regulation. It’s basically a privacy law from the European Union that went into effect on May 25, 2018 pertaining to ALL websites (whether you are big or small). It affects everyone that does ANY sort of business online.
It all started in 2012 when the European Commission set out a plan to reform the data protection rules across the European Union in order to make it “fit for the digital age”. It took almost four years to agree on exactly what was involved in this and how it would be implemented.
One of the aspects of this reform was Regulation (EU) 2016/679, otherwise known as the General Data Protection Regulation. This was created to replace the Data Protection Directive (officially known as Directive 95/46/EC) which had been in force since 1995.
This new regulation was originally intended to become enshrined in EU member state law on the 6th May 2018, though for reasons best known to the Government it will officially come in to force in the UK on the 25th May 2018. Within the UK at least this will fully replace the current Data Protection Act 1998.
GDPR is a new set of rules that is designed to give persons in the EU more control over their personal data… so in its raw form, it applies to the processing and handling of EU personal data. This covers everything that you do with personally identifying data that you collect from anyone in the EU… and how you handle that data. Everything from collection, to deletion of data.
While this is an EU law, it pertains to ALL online websites that not only do business IN the EU, but do business or generate leads from people within the EU.
By now, your eyes have rolled and surely you’ve said to yourself, “I don’t target listeners or advertisers in Europe so I’m all good.” Not so fast. The GDPR also covers anyone from the EU that may happen across your website while searching or clicking on a social media post thanks to your awesome marketing efforts. The GDPR says, “Any time you are marketing through an online or digital media, you must be within GDPR compliance.” So, this does mean YOU and us!
What is Considered Personal Data?
The GDPR protects “personal data,” which means “any information relating to an identified or identifiable natural person”. That’s a pretty broad definition. In reality, personal data is generally going to include things like:
- Biographical data such as your name, address, phone number, social security number, and so on.
- Data relating to your physical appearance and behavior such as hair color, race, and height.
- Information about your education and work history such as your salary, college degree, GPA, tax ID, etc.
- Things like your private messages or geo-location data.
This is far from a complete list. The key is that any data that makes you identifiable counts. This means that if you have any type of form on your website, you are collecting “personal data”. If you employ Google Analytics to see where your visitors are from, you are collecting geo-location “personal data”.
The Right to be Forgotten
This is one of the core tenants of GDPR. Simply stated, if someone asks you to have their data removed from your system then you must do so as long as the personal data you have on file is no longer necessary in order to carry out the purpose for which is was originally obtained by permission.
This means that unless you have a current commercial justification for retaining someone’s contact details then you must delete them if they ask you to do so. Of course this does not apply to marketing. If someone opts out of that you cannot continue to send them marketing information simply because that was why you originally obtained their details.
In practice what these two clauses together mean is that if you have a genuine commercial requirement to be able to contact your customers – often referred to in GDPR documentation as a ‘legitimate interest’ then you may do so. But if you do not have that, or if they have not explicitly stated that you are free to contact them, or even if they have previously done so, but they have withdrawn that permission, then you cannot contact them.
What’s the risk of not being GDPR compliant?
The simple answer is: you don’t want to be penalized. The financial penalties for non-compliance are higher than for the old Data Protection Act. There’s an upper limit of €20 million or 4% of your annual global turnover, whichever is greater. The authorities can also…
- Issue warnings
- Carry out audits
- Demand that you fix things within a strict deadline
- Demand you erase data
- Stop data transfers to other countries
- Apply these powers to data controllers and processors and data processors
“But, I’m local and only do business within the United States”. You might be thinking that but do you really know? It would be really HARD to prove you only are emailing or showing ad’s to US based residents only. Ever say “thanks” to service men and women listening overseas? So, is it really worth taking the risk?
So, how can you be compliant?
It’s highly unlikely that someone will call you over GDPR compliance. However, it’s just good business to have the proper channels in place to protect your listeners’ information, no matter where they are geographically located.
The GDPR has caused a lot of companies to reevaluate how they’re handling consumer data and some of them have started talking about rolling the GDPR rights out to non-EU residents. And it’s also simpler for companies to enforce a single set of rules for all customers in many cases.
Please reach out to us if you have any question on GDPR Compliance.