The imposing acronym in the title stands for “General Data Protection Regulation.” It was established by the European Union almost two years ago, to give its citizens and residents more control and protection regarding business acquisition and use of their personal data. The Regulation takes effect on May 25th.
Although the EU is promulgating this Regulation, its terms are applicable to any entity, anywhere, acquiring and managing data for any citizen of the 28 covered EU countries. And the Regulation has real teeth: Each violation carries a potential penalty of up to $24 million, or 4% of the violator’s annual worldwide sales revenue, whichever is higher.
The timing of this Regulation is almost eerie in its coincidence with the intensifying scrutiny being placed on personal data privacy by the likes of the recent Facebook/Cambridge Analytica controversy. What the EU has done is create an extensive set of regulations which govern how marketers must request and receive permission to use personal data or other information, how they must disclose such use, observe limitations that are placed on that use, and how they must provide opt-out capability. For the most part, the Regulation imposes what we have always known to be common, honest and open opt-in and disclosure best practices around email address and other personal data acquisition and management.
It is not our intent in this piece to discuss or summarize the full Regulation, which prints out to 69 pages, and can be found here.
But if your organization has collected any data whatsoever on any EU resident or citizen, you should already be familiar with Regulation requirements and fully prepared for compliance by May 25th.
As an organization subject to GDPR requirements, eDataSource, Inc. has spent more than a year preparing for GDPR compliance, and we have also maintained membership in the EU-US Privacy Shield since last year.
- The Boxbe panel forming the basis of our data platform involves voluntary and active consent of users during sign-up. We have clear and concise opt-in and data usage disclosures.
- All data we maintain, including email addresses, IP addresses, and temporary email storage, are encrypted using industry standard encryption and key management. Encryption keys are regularly rotated.
- We do not collect raw email content for EU citizens.
- All data are anonymized before incorporation into our deliverability platform.
- We have a process for fulfilling panelist’s “right to be forgotten.”
GDPR addresses privacy issues of major sensitivity gathering strength since the inception of customer database marketing. These issues have come to a head with the pervasiveness of vast global enterprises like Google, Facebook, and Amazon; and they will certainly intensify given the geo-tracking capability of smartphones and the listening capability of virtual assistants like Siri, Google Assistant and Amazon Alexa. The subject has drawn rare bipartisan Congressional interest and resolve, which means that something very much like GDPR may be coming to your neighborhood soon. Best to be ready.
Note: This post is being provided for informational purposes only. Nothing in this post shall be construed as creating a representation, legal advice, warranty or commitment, contractual or otherwise, by eDataSource to you or any other person or entity. It also does not guarantee that your email and/or any other aspect of your business is in compliance with state, federal, or International laws. This post is not a substitute for, should not be used in place of, and should not be considered, legal advice. It is recommended that you contact your general or legal counsel.