The General Data Protection Regulation (GDPR) is a landmark data protection law in the European Union. It replaces the 1995 EU Data Protection Directive (DPD) and provides crucial updates to tighten data protection norms. If you have any customers, customer touchpoints or access to data of even one EU citizen, the GDPR applies to you. Non-compliance is sure to result in heavy penalties up to 20 million euros or 4% of the company’s annual revenue, whichever is higher.
Before the GDPR
Prior to the GDPR, data protection in the EU was governed by eight main principles outlined in the DPD. The main difference between the DPD and the GDPR is that the GDPR is binding law across the EU, while the DPD was a directive that countries in the EU could interpret and form their own laws.
The DPD’s eight main principles were:
- Obtain and process the personal data fairly
- Keep it only for one or more specified and lawful purposes
- Process it only in ways compatible with the purposes for which it was given to you initially
- Keep it safe and secure
- Keep it accurate and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it no longer than is necessary for the specified purpose or purposes
- Give a copy of his/her personal data to any individual, on request.
The six main principles of the GDPR are
- Lawfulness, fairness and transparency - personal data must be compliant with the laws for the data subject
- Purpose limitation - data processors cannot use the data for purposes that are not clearly mentioned
- Data minimisation - data collected is strictly relevant to the purpose
- Accuracy - maintain accuracy in data collected and processed
- Storage limitation - data is stored and made accessible only for the duration of the purpose
- Integrity and confidentiality - ensuring all personal data is protected
Relevance and need for the GDPR
Though the GDPR has been years in the making, its actual roll-out has been preceded by significant data breaches that have jolted the global conscience out of a reverie. The infamous Cambridge Analytica and Facebook scandal cast a light on the far-reaching implications of seemingly innocuous data of regular citizens, making data protection the need of the hour. The world is getting smaller than ever, and the use of personal data must be clearly agreed upon by all parties involved.
Glocal (Global + Local) Implications
Though the GDPR is applicable to data subjects that reside in the European Union, it is a comprehensive set of guidelines that any organisation can proactively adopt - indeed, many businesses have already done so. Many other countries are set to follow suit and adopt their versions of the GDPR and the regulations are sure to have glocal implications - if you are a local business that has any customer touchpoint globally, you would be wise to adhere to the GDPR.
Here is a handy GDPR checklist: www.hubspot.com/data-privacy/gdpr-checklist
Other useful resources:
Unsure how the GDPR applies to your marketing efforts? Reach out to us at firstname.lastname@example.org for more detailed discussions!