“The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.” says the author of eugdpr.org.
What is GDPR?
GDPR protects personal data of EU residents including name and surname; home address; email address such as firstname.lastname@example.org; location data (for example the location data function on a mobile phone); Internet Protocol (IP) address; cookie ID; the advertising identifier of your phone. The new rules go into effect on May 25, 2018.
A broad overview of the components of GDPR that could most impact professional services firms:
- Breach Notification: People must be notified of a data break within 72 hours of its discovery if it is likely to “result in a risk for the rights and freedoms of individuals”.
- Right to Access: People can request a written overview as to whether, how, and for what purpose, their personal data is being used.
- Right to be Forgotten (Data Erasure): People can request that their personal data be erased, stop being used, and not be shared with third parties.
- Privacy by Design: Data protection should be built into a process that collects personal data from the beginning, not layered on afterward. The minimal amount of information needed to provide the service should be collected.
GDPR is comprehensive and far reaching. Please note that I am NOT (repeat NOT) an expert on this. Please consult your firm’s IT director, lawyer, professional liability insurance provider, or firm advisor for actual guidance. This article is meant only to get you thinking – and is not intended as advice!
Does GDPR affect your firm?
Well… it’s hard to say. The GDPR is not intended for every business on the planet. US-based, US-focused businesses are not the target. However, if your firm offers services that are available to, and of interest to, residents or businesses in the EU, take note. Assuming you need to be GDPR compliant, let’s look at a few examples what to review in your online marketing program:
- Your firm’s website If your firm’s website uses Google Analytics (which it should and probably does) or cookies, then you’re collecting data on site visitors, meaning that your site is impacted by GDPR’s protection of EU residents’ IP addresses. Google has created new settings in Analytics to help with GPDR compliance so that’s a good place to start.
- Your firm’s email newsletter or ebook download is probably available through an opt-in process on your website. This means that someone from the EU may subscribe any time. An EU resident’s name and email address are both protected by GDPR, and once you have them, you need to keep them safe, be able to find them in your system, provide a history of how they were used, and remove them upon request.
- Your firm’s database probably has thousands of contacts in it. If any of them are EU residents, you need to know the intent the person had in giving you their information. If it was, for instance, to download an ebook from your website, then your right to use the data may end there even if you have 10 other ideas for how to market to that person. One note is that you have to tell people how you will use their data.
- Your firm’s social media profiles should be OK because it will be the role of the site (Facebook, LinkedIn, etc) to comply with GDPR. Since your social media is probably intended to drive traffic to your website, keep in mind the website issues described above.
Growing Data Privacy Concerns Around the World
The EU is blazing this trail, but it’s not just EU residents who are interested in data security and privacy. I have a feeling that other countries (the US?) will follow. The penalties for non-compliance with GDPR are huge so it’s prudent to pay attention now. Consider continuing your education on this topic at the EU’s official page on GDPR or consult your firm’s professional liability insurance provider.
If you have questions, please reach out. We can find an answer together!