The General Data Protection Regulation (GDPR) was approved by the European Parliament and Council in April 2016 as the primary law regulating how companies protect EU citizens’ personal data. In addition to businesses located in the EU, any business that collects, processes, or stores the personal data of EU citizens is subject to the new regulation regardless of its location. Under the GDPR, “personal data” means information relating to an identified or identifiable person. This information could be a name, phone number, email, ID number, location information, photos, IP addresses, cookie strings, and social media posts.
- Stronger Consent Required. One of the biggest changes is to the consent requirement. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. Make sure all consent forms are unchecked by default and have an easy-to-understand confirmation process.
- Breach Notification. Under the GDPR, breach notification is mandatory within 72 hours where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” Companies must develop and adhere to thoughtful procedures for notifying the relevant data protection authorities of a data breach. Data processors will also be required to notify their customers “without undue delay” after first becoming aware of a data breach.
- Right to be Forgotten. Users will now have the right to have their data deleted at any time. It’s important to have a process in place for easy data deletion. Similarly, a user can request a copy of their data, making it imperative to have a log and ability to retrieve such information upon request.
- Email Marketing. Under the GDPR, email marketers must collect freely given, specific, informed and unambiguous consent. The GDPR not only applies to the data collected on its effective date, but also to data gathered before. Thus, depending on how user data was collected in the past, you may need to unsubscribe users and ask for opt-in consent in order to comply with the new GDPR standards.