Curious why you keep receiving emails from tech giants like Facebook and Uber explaining their latest “Privacy Policy Update?” Last Friday, the General Data Protection Regulation (GDPR), the European Union’s new set of privacy rules, officially went into effect. These guidelines aim to protect user data and give more privacy control to the consumer. And while the GDPR technically only applies to EU countries and residents, American companies that do web business in Europe must also operate under the guidelines. These companies each had to update their privacy policies by May 25 in order to be compliant—hence the emails you’ve likely been receiving.
So, what exactly is the GDPR, and how will it affect you? Let’s break down some of the key elements of the act.
Users Have the Right to be Informed
Before collecting consumer data, businesses now must spell out exactly what data they wish to collect and how they intend to use it. One checkmark no longer fits all. To be GDPR-compliant, companies have to explain each term of the sign-up process, in words that all users can understand, and consumers must explicitly give their consent.
Users Have the Right to Erasure
Or, in other words, the “right to be forgotten.” Once the consumer is informed, has checked all the boxes and has agreed to allow companies access to their data, they will eventually be able to opt out and request that their data be erased (unless the given data is still being used for the denoted reason).
Businesses Must Appoint a Data Protection Officer
The DPO is mandatory under the GDPR. Those appointed to the role will act as GPDR “watchdogs,” and be responsible for making sure businesses implement and enforce the new guidelines. The DPO will be a required position at all companies that collect large amounts of personal data, and will serve to catch breaches early on, or greatly diminish the likelihood of one.
There’s a 72-Hour Breach Notification Rule
The GDPR outlines a list of privacy rules that companies must adhere to in order to safely use consumer data. And it means what’s written. Not only will the appointment of a DPO be mandatory, but so, too, will it be required that data breaches be reported within 72 hours. We all remember how long Equifax waited to report its data breach last September—two months—and the resulting PR crisis that ensued. The 72-hour rule gives businesses little room for deliberation. Instead, it ensures companies are being transparent with their users throughout all stages of the breach.
It will have a sizeable impact on social media.
It’s no surprise that social media are some of the biggest collectors of personal information. Under the GDPR, social platforms—Facebook, Twitter, Snapchat, Hootsuite—will have to update and define the terms of their advertising and monetization practices. As a result, you may need to pay attention to how you’re conducting paid social media marketing campaigns. Make sure to read through the new terms before starting a paid campaign of any sort.
These are just a few of the GDPR’s key elements to keep an eye on. Even though the GDPR applies to EU countries specifically, it outlines a very important set of rules that will greatly impact American companies conducting business overseas. It is vital that tech businesses both domestic and abroad get ahead of GDPR now, so they can avoid a PR fiasco like Facebook and Cambridge Analytica’s, in the future.
What steps have you taken to adapt to the new rules? Let us know in the comments below.