April 26th, 2018

By now most people have heard the term GDPR, read the articles or even attempted to explain what it means. As the deadline date looms, we thought we would try our hand at explaining the law and the regulations to follow.

So, firstly what does it stand for?
Global Data Protection Regulation.

Great. Now we’ve covered that, what is it?
GDPR is a data protection law which comes into effect on May 25th, 2018. It’s the biggest shake-up of personal data privacy rules since the start of the Internet and its purpose is to give power back to the consumer. Meaning you, the individual, will have more control over how your data is handled by bodies and businesses.

In essence, strict rules mean companies will not be allowed to collect and use your personal information without consent. Hurray!

Fantastic, my inbox is reaching capacity. But wait, do I need to do anything?
Depends. As a consumer, the answer is no, just keep an eye on your inbox and decide which companies you want holding your personal information by opting into their emails.

However, if you are a business and collect user’s data (emails, IP addresses) you don’t have long to act!

By the 25th of May, you must have actively provided customers with the opportunity to explicitly consent to the storage of their personal information. A simple email requesting consent can do this.

What happens if a company fails to comply?
1) Fined up to €10 million, or 2% annual global turnover – whichever is higher.
2) Fined up to €20 million, or 4% annual global turnover – whichever is higher.

“The fines are based on the specific articles of the Regulation that the organisation has breached. Infringements of the organisation’s obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level.”itgovernance.co.uk

The new regulations pose a new financial risk to many companies that do not comply. Globally, 35% of companies fear that the financial penalties possible under the GDPR could imperil their very existence!

GDPR is aimed at all companies and bodies that handle user data. It’s serious stuff which can be strictly enforced by the countries’ regulators. For example, in the UK the Information Commissioner’s Office have had their powers expanded to carry out dawn raids. Identical fines will be imposed for breaches of the ePrivacy regulation.

Wait, what? There’s more?
Of course, as technological innovations are reshaping, so too is the legal sector. The ePrivacy Regulation (EPR) is a proposal for a Regulation on Privacy and Electronic Communications. It’s an update of 2002’s ePrivacy Directive, the need to enhance it is in light of technological developments, specifically ‘Internet of Things’.

I think I’ve heard this referred to as the ‘Cookie Law’?
You are correct! Marketers and internet professionals coined the phrase. It’s the reason you might be greeted with a cookies policy pop up when entering a site.

I don’t understand. If it’s a law that already exists why is it been reintroduced?
Well, it is currently an EU directive, meaning it’s a law which all countries within the EU must follow.

However, as it’s not regulation, countries hold the right to implement the law how they see fit. This means there are national differences and relatively inconsistent enforcement across countries.

Enforcing a regulation on the other hand, makes it legally binding across the EU and its member states. Similarly, the forthcoming GDPR is replacing the Data Protection Directive.

How does it work?
Currently, websites using cookies and other technologies employ a “notification and implied consent” method of visitor opt-in, e.g. pop-ups asking to collect cookies. Under the new rules, ownership is on the visitor by way of web browser settings, asking users to opt-in to tracking.

Anything else I should know?
Yes, the update plans to cover all channels of communication. This includes VoIP providers such as Skype and expands to messaging services like WhatsApp. It applies to machine to machine (M2M) communication services too e.g. Internet of Things.

These laws are introduced primarily to protect the customer but extend to balancing the marketplace. GDPR and ePrivacy regulation help stem the advanced growth of duopoly’s (Google and Facebook) and hand power back to the people, who are essentially the product.

So what’s next?
Currently, the ePrivacy Regulation is still to be finalised, the GDPR took years. It seems unrealistic to expect a final version of the Regulation by 25th May 2018, as planned.

The focus is now on GDPR and the changing landscape of digital advertising, a new change which brings about opportunities to actually learn about customers, provide personalised marketing and a better user experience.