These emails exist because companies are racing to comply with the new General Data Protection Regulation, GDPR .
Without intending to replace a legal advisor, we explain what the GDPR is and how it affects you regardless of where your company is located.
What is GDPR?
The Data Protection Regulation is the new European regulation that came into force on May 24, 2016 (yes, last year) that regulates how our data is handled . This regulation will replace Directive 95/46/EC, which has regulated data protection in Europe since 1995. On May 25 of this year, the deadline granted to companies to adapt to the legislation expires. That's why all those emails in recent weeks that almost, almost touch the limit of what the regulation allows.
This new regulation aims to give European citizens power over their data by updating a regulation created for a different world. The GDPR regulates, among other things, how any organization, or even individuals, obtain, use, accumulate and delete personal data.
Who is affected by GDPR?
It affects any company or individual that offers goods or services to citizens in the European Union, whether or not the collection of data involves payment, regardless of where in the world this company is located. It also affects those who monitor behaviour, as long as said behaviour occurs in the European Union.
So if you are anywhere in Latin America and you handle data of citizens of the European Union, this regulation affects you . Some examples of data collection that could affect you:
You have customers in any of the European Union countries who pay for your products or services.
On your website where users must register to access certain content, applications, features, etc.
You have a website where European citizens can subscribe to your newsletter.
Do you use any monitoring tool on your website or app to personalize content, services, etc.
What does it mean to be affected?
In practical terms, mainly money. One of the changes in the GDPR is the considerably high monetary penalties. These penalties could be up to 4% of an organisation's global turnover or 20 million euros , whichever is higher.
3 Things you should know about GDPR
Consent must be express
The consent given by a user must gambling data taiwan be explicit, informed and revocable at any time. In addition, it must be specific, that is, it must be given for each of the purposes for which the data is collected. In other words, all consents must be given individually. If a user gives you consent to send them a newsletter, you will not be able to send them promotions.
Therefore, it is important to design a pleasant user experience to show the user all the options for which they accept (or not) their data being used. Great care must be taken in this design, because having to make explicit a pre-checked box that is almost invisible would be against the regulations.
What about past consent? The regulation is somewhat ambiguous in this regard, stipulating that there will be no problems as long as consent has been granted in accordance with the principles established by the GDPR.
New rights for citizens
One of these is the right to portability , meaning that any user can request data from one company to transfer it to another. This includes all activity records, and it must be in an appropriate format that does not hinder the work of the new provider. Likewise, a citizen can demand a copy of their data in a format that is convenient for them, such as a hard drive, pendrive, etc. Here, it is also worth mentioning the right to cancel this use of data by the user, something that is already common today.
The principle of active responsibility (accountability) will also be put into practice . This principle relates to the internal processes of companies and organizations for storing and handling data. This seeks to make companies responsible for the data and for ensuring compliance with the GDPR.
The need for protocols for when security breaches occur is also established. The company is responsible for responding within 72 hours, which implies notifying the corresponding agency, the affected party and taking measures to resolve the problem.
New concepts
In addition to procedures and sanctions, the GDPR also introduces new concepts. The most important of these are privacy by design and privacy by default.
Privacy by design implies the application of the principle that privacy is best protected when it is already built into the technology when the products or services offered are created. Ambiguous, isn't it? Yes, which is why there is still some uncertainty about what this term means and how it can be applied.
Privacy by default , on the other hand , means that organizations must apply appropriate technical and organizational measures to ensure that data protection options are optimal by default. That is, only the personal data that is necessary for each specific purpose of a process will be collected and handled.
How does GDPR affect our digital marketing actions?
Social networks
At this point we are talking about the use of social media in an organic way. In general, there should not be any major problems, since social media activity itself does not involve data collection.
However, there are a couple of scenarios where you should be careful: If you use social media as a source of personal data about your followers to import them into a list, etc.
If you send traffic to your website through social networks, and you use Google Analytics to track your visitors.
This is how the Spanish Data Protection Agency warns its users about its policy regarding Twitter (from a link in its bio):
