Answers to your burning GDPR questions.

man-questioning_LI Answers to your burning GDPR questions.

Photo: Mark Skeet

If you’ve been hearing about the European Union (EU) new data privacy law, the General Data Protection Regulation, that goes into effect on May 25, 2018, and have questions, you are not alone.

According to MailChimp, “It regulates how any organization that is subject to the Regulation treats or uses the personal data of people located in the EU. Personal data is any piece of data that, used alone or with other data, could identify a person. If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you’ll need to comply with the GDPR.”

Off-hand, you may not think this applies to you. However, if you “offer goods or services to or monitor the behavior of EU data subjects,”[1] you should take a look at the guidelines. Even if your company is not located in the EU, you may still need to be in compliance.

What is personal data?

The European Commission identifies personal data as “any information that relates to an identified or identifiable living individual.” Examples include name and surname, home address, email address, location data, IP address, cookie ID, and more.

How do I gain consent?

Providing an opt-in feature on websites and in email rather than relying on forms as the only form of opt-in is a great way to get started. Also, identifying how your website or email uses the information collected. This is often covered in a privacy policy and terms and conditions on a website. In email it is often a disclaimer located in the email footer. Also, check third-party technology to ensure it does not automatically add people to your email lists without asking for consent.

In social media, many channels are adopting a policy to allow members to adjust settings that advertising and marketing applications may have had access to in the past. For example, LinkedIn will be removing audience email addresses previously allowed to be stored by advertisers. It’s important to review their policies as well. 

Also, if you market to or contact people under the age of 16 in the EU, you will be required to gain parental consent; in the U.S. the age requirement is 13. This is known as the Children’s Online Privacy Protection Act (COPPA).

What do I have to change on my website or in my email to help protect myself and my business?

The GDPR offers a compliance checklist to help you be in compliance with the recent changes. It breaks responsibilities down by controllers (if you store the data) and processors (you store data for someone else). Each has a unique set of responsibilities.

HubSpot has put a project plan together to help companies to prepare for the changes needed to address this new compliance effort.

If you have more questions about the impact GDPR might have on your company, review the Regulation website; then contact legal counsel to assist.