What Is GDPR and What Should We Know About It?

Everyone’s inbox has been flooded by “We’ve Updated Our Privacy Policy” emails since the end of May. The reason? GDPR, EU’s new set of data regulations that came into effect on May 25th. Businesses have been scrambling to become compliant, often in the form of asking subscribers via email whether they want to keep getting their emails after GDPR comes into effect.

But why is GDPR causing such chaos? In a FirstCut interview with DataGrail CEO Daniel Barber, he talked about GDPR and things we should know about it. His company is focused on compliance and privacy for companies looking to sell into Europe, and he offered some insightful opinions.

What Is GDPR?

The goal of General Data Protection Regulation is to ensure data protection of the EU residents, Daniel Barber explained. Its central theme is that any individual within the EU can request information on how a business operates or processes their data, among other things. In the wake of Facebook’s privacy scandal with Cambridge Analytica, it became clear that data regulations must follow the development of technology and address significant privacy concerns. GDPR is a step in that direction.

Data Protection in Other Countries

GDPR is a prevalently EU-centered law for now, but other countries are looking to adopt its replications and implement similar data regulation. Even if your business doesn’t have to worry about GDPR for now (if your customers are mainly US-based, for example), that doesn’t mean you won’t have to implement some of the GDPR-compliant practices any time soon. GDPR is influencing legislation everywhere to move in the direction of improved privacy and data protection, so it’s best to start preparing on time.

Most Important GDPR Definitions

GDPR defines data subjects as individuals whose personal data is being collected, processed or held, and it gives them more control over how that data is being used. The companies who have the technology that processes data provided by data subjects are defined as data processors by the GDPR. A company could also identify as a data controller, which is what most of companies fall under as their sales and marketing teams make decisions based on personal data they collect.

GDPR also gives a strict definition of consent, which needs to be an informed and active consent. It now requires an affirmative opt-in, and any method of default consent (such as pre-ticked boxes) isn’t considered valid. You’ll have to obtain separate permission for every channel of communication as well — so if a user of your website agrees to your cookies or privacy policy, that doesn’t mean you can send them marketing emails before they opt in for that.

Data Subject Rights

One of the rights that GDPR guarantees to data subjects is the right to access their information. As mentioned earlier, they can request it from the company that holds it, and the company must comply. Data subjects also have the right to delete their personal information if they so choose, and they can also withdraw their consent at any time. Other reasons include the right to object to the processing of their data, including automated processing. It’s safe to say that GDPR gives data subjects more control over their data than they’ve ever had before. Of course, the ability to delete or request information is a great thing for data subjects, but what does that mean for the data controllers and processors?

Challenges in GDPR Implementation

What it all comes down to is that companies must come up with logistics to support data subject requests to access their information. The new regulations affect everything, from your server and cloud storage locations to sorting of the data you’ve been storing. As Daniel Barber explains, the current business environment isn’t set up to perform or support that activity, considering the multitude of third-party applications being used as well as other practical difficulties. Large companies (with over 150 employees) also need to have a Data Protection Officer, and those who are under that number still need to adjust their inbound marketing workflow to ensure GDPR compliance.

Becoming GDPR-Compliant

Barber’s advice is for company leaders to connect with legal counselors to figure out what exactly they need to do to become GDPR-compliant. Ultimately, marketers or sales reps aren’t lawyers, and despite the basics of GDPR being mostly clear, there are many possible legal implications hidden under those basics. To make sure you’re fully compliant and avoid potentially huge penalties, it’s best to consult a legal professional.

Conclusion

Although GDPR presents a challenge for companies and marketers alike and requires some time to adjust to, it’s ultimately a set of regulations meant to improve people’s privacy and protection of personal information. As such, it’s a positive change for the better that should be welcomed.

Subscribe to FirstCut Content

Get new blog posts delivered direct to your inbox