If you’ve been paying attention to the news in recent months, you may have seen headlines with the phrases “GDPR” and “European Union” popping up more and more often.
“GDPR” refers to “General Data Protection Regulation.”
It’s legislation that the EU approved back in April of 2016. Once approval happened, businesses were given 2 years to comply with new stipulations for collecting and using consumers’ personal data.
In a nutshell, the European Union strengthened the consumer’s right to control their personal data.
That’s great, but…
Why should we care, as content marketers and business owners not located in the EU?
(I don’t blame you if you look like this right now.)
But here’s the thing.
If you have customers in the EU, or operate at least in part there (including collecting EU consumer data), you will be affected by this new legislation, which will go into effect on May 25, 2018.
GDPR protects Europeans’ data no matter where they go virtually. Since we live in a global, digital economy, this applies to most of us who operate online.
To help you navigate these murky waters, I’m discussing the main pieces of GDPR that are most likely to affect you.
Then, to help you figure out what to do next, I talked to Richard Chapo, an internet lawyer I previously chatted with on The Write Podcast about copyrighting in content marketing. He has some advice about what to do in the face of GDPR.
Let’s get into it.
Which Parts of the GDPR Should You Be Most Worried About?
1. If You Collect Personal Data from EU Consumers, You Will Have New/Increased Responsibilities
The “personal data” that GDPR affects is the basic stuff you collect from customers and leads all the time: names, email addresses, and any other information that is personally identifying.
Specifically, GDPR stipulates that you are wholly responsible for the security and safety of the personal data you collect.
This also means you are responsible TO the consumer/customer. Above all, GDPR protects their rights.
2. EU Consumers Will Have Expanded Data Privacy Rights
GDPR mainly focuses on expanding and strengthening EU consumer data privacy rights. Here are the major points:
- Consent must be crystal-clear. When consumers give their consent for you to collect their personal data, you must stipulate exactly how and why you’ll be using that information. You can’t use confusing or misleading legalese or fine print to state this information – it must be accessible, clear, and easy to understand.
- This also means you can’t collect data for one purpose and then reuse it later. For example, you can’t offer a free download in exchange for emails, and then keep those emails and use them to populate your mailing list. You have to tell consumers EXACTLY what you will do with their data when you ask for consent.
- You must collect the minimum amount of information needed to achieve your objective. For example, if you want consent to collect a consumer’s email address to send them your newsletter, you arguably don’t need their age or employment status to do it.
- Consumers have the right to access and review the data you collect from them.
- Consumers have the right to have the data you collect be “forgotten” – erased from your databases and therefore no longer used/processed.
There are lots of other points in the legislation, but these are the top ones you should know about. To read the others, check out MarTech’s in-depth explanation.
3. You May Be Fined If You Fail to Comply, But Fines Are Situational
The maximum fine an organization can incur from breaching GDPR is 4% of their annual global turnover, or 20 million euros (whichever turns out to be the larger number).
This is relevant to mega international companies, but to you?
Not so much.
Instead, what you need to worry about are tiered fines, which vary depending on the severity your infraction.
For minor infractions, organizations or individuals may be given a reprimand rather than a fine, but only if the fine would impose a “disproportionate burden” on them, according to article 148 of the official legislation:
What to Do Next: Advice from Attorney Richard Chapo
What should you do next in terms of GDPR’s far-reaching effects?
To find out, I talked to Richard Chapo, an internet lawyer with 24 years of experience in topics like fair use and copyright law, licensing, and other legal issues that affect online business owners.
Here’s the sage advice he has for anyone who will be affected by GDPR, whether you’re a blogger, an online business owner, or a content marketer:
“The GDPR contains massive penalty provisions, and we’ve seen a good bit of scaremongering online because of them.
The purpose of the GDPR is not to generate massive fines. The purpose is to protect the personal data of subjects located in the EU. Make a good faith effort to comply, and you are unlikely to be wiped out by a GDPR fine.
As Elizabeth Denham, the UK Information Commissioner stated, “…it’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm.”
Under the GDPR, you cannot collect personal data from a ‘child’ under 16 without getting verified parental consent first, although some countries can set the age as low as under 13. If the subject matter of your site is directed at kids – video games, education, etc. – you need to be wary of this requirement found in Article 8 of the GDPR.
The world will not end on May 25th if you are not GDPR compliant.
Many companies large and small will fail to meet the deadline. If you’ve just learned of the GDPR and are panicking – don’t.
First, panicking doesn’t accomplish anything. Second, get moving on compliance. If you receive an audit notice from an agency in the EU, providing evidence that you are in the process of complying will mitigate any penalties.”
Bottom Line: Get Familiar with GDPR and Understand If You’re Affected – Then Get Moving on Compliance
As Richard says, it’s important to start making sure you’re in compliance with GDPR if it will affect you. Even if you’re a little behind, this shows a good faith effort and may help you avoid penalties.
Smartblogger has some fantastic advice you can put into action right now for compliance. They recommend following 7 steps, including:
- Doing an inventory of the personal data you collect
- Quitting collection of any data you don’t need
- Making sure you’re totally clear about the information you ask for and receive from consumers
- And more:
A little work now will go a long way toward your peace of mind concerning GDPR as it goes into effect. The key is to start A.S.A.P. – then you can breathe a sigh of relief.
Questions? Thoughts? Comments about the new legislation? I’d love to hear them in the comments!