On Friday, May 25th 2018, it was D-Day for the European Union's General Data Protection Regulation (GDPR). Sending everyone into a panic, with hundreds of frantic opt in emails being sent on the eve of the 25th we are wondering what the fuss is about. To those outside the EU or those "down under" in the Southern Hemisphere we are confused at the hysteria - which will soon impact us also. Lets stay cool calm and collected and find out what it really does mean for the small to medium sized businesses and how we can get organised for the coming GDPR storm...
So what is it?
It is the regulation on all protection and privacy for citizens of the EU. It requires everyone that handles personal data to build a data protection design where privacy taken into account at every stage and information is held in a way that assures it's not available publicly without explicit consent and cannot be used to identify people.
The GDPR increases what is considered as personal data, and it requires companies to closely monitor the data they have on file from any EU resident - and if someone wants their data updated, removed or want to receive a copy of their data the company in question needs to comply and have the necessary procedures in place to do this.
What it means?
It means any company with a digital or online presence in the EU or deals with customers or prospects in this area (which includes the United Kingdom, for now) will have to comply to the new law or pay some pretty steep penalties and fines.
Those who are at the most risk are those who deal with personal and sensitive data like banks, healthcare, insurance and of course Facebook and other social apps that deal with personal information.
The regulations are a follow up on the 1995 privacy laws that has been coming for the past 2 years, with organisations being given a two year implementation period, with the enforcement beginning on May 25 2018.
What kind of information does it protect?
Any kind of personal data, including a person's name and contact details as well as stored bank details and personal numbers that is stored needs to follow the new GDPR protocol. Additional to any obvious personal data it also protects information that can show a persons online activity. Location information, as well as IP addresses, cookies and other data that lets companies track users as they browse the internet is included.
Why should we care?
The regulation applies to not only companies in the EU but ALL COMPANIES worldwide who deal with any EU residents personal details which is why it is such a big deal. While the new law doesn't protect us or USA and China and the rest of the world, if you sell to or deal with any countries in the EU you are not exempt and still are required to comply with all the new data privacy laws in order to keep their residents information safe.
Secondly, the EU have set a precedent with the new privacy laws and has set the ball rolling for the rest of the world to follow. So while it may not affect us at the moment, privacy laws in Australia and New Zealand will very soon be following a similar path which is why it's a good time to think about how your company uses, stores and protects it's customers personal information.
Don't panic
There is no reason to panic! While this all sounds very foreboding and like a law suit waiting to happen, it's mostly aimed at the big internet and app giants such as Google, Facebook/Instagram, Whats App, Amazon and other large corporate companies who deal with millions of personal details every day.
While smaller businesses do need to comply, they generally aren't going to have such large databases and have a problem with keeping their clients personal information secure.
We should instead be mindful of the privacy of personal details we do collect, and it's a timely reminder to look at our databases and think about "would this person know who we are and want to receive an email from me?" You may have received a lot of begging emails in the last few weeks asking you to resubscribe or never be emailed again... but as the experts have clearly explained: If you have previously expressly consented to receive emails from a company, that consent would remain valid under the new legal framework. There are also five other justifications for a company processing your personal data emailing you – contract, legal obligation, vital interests, public interest and legitimate interests.
Main takeaways and things to know:
- If you have any brought lists you are using to email people these are now clearly illegal, there is NO GREY AREA
- When assessing your database ask yourself the following question: "Would this person expect an email from me?" Generally if the answer is yes - they will love to hear from you!
- It's never too late to think about data protection, now is a good time to review your website and online marketing practices.
We are in no way legal experts, and if you are concerned we'd recommend getting legal advice and doing some research. Visit the NZ Govt Privacy website for more information: https://privacy.org.nz/