Two years after it was announced by the European Parliament, the Council of the European Union and the European Commission, the General Data Protection Regulation (GDPR) becomes legally binding on May 25, 2018. This new regulation legally prohibits marketers from storing or using EU residents’ personal data without their consent.
Consent must be explicit. Opt-out pre-ticked boxes, fine print and confusing jargon will become things of the past, ensuring that people truly understand that sharing data is their decision. This also applies to the data that’s been rendered anonymous and can’t be attributed to any specific individual.
On the surface, the GDPR sounds like the solution to a modern issue. But people may not realize that the regulation has been a long time coming.
Content produced in association with SmartFocus.
(Click to expand)
In 1980, the Organization for Economic Cooperation and Development (OECD), a democracy-focused organization of 35 countries, created a list of related principles aimed at protecting people’s privacy. “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data” required companies to notify people when—and why— their data was collected. The data was to be kept secure and also accessible to the subjects, who were free to correct inaccurate information.
The U.S. endorsed OECD’s guidelines but never implemented them, but the EU was much more receptive. However, the guidelines were nonbinding and open to interpretation, weakening their impact.
That data privacy laws varied across EU countries impeded the free flow of data within the EU. As a result, the European Commission proposed the Data Protection Directive instead in 1995, which the GDPR will replace.
While 1995’s directive could be implemented differently from country to country, the GDPR installs a single set of rules across the EU, which one supervisory authority will oversee. The regulation comes with several updates, compelling businesses to track how and where data is stored and used, and empowering citizens to opt-in.
Most significantly is that the GDPR extends far beyond Europe. The regulation doesn’t only apply to businesses located in the EU, but any that operate within its borders. Facebook may be headquartered in California, but with 252 million users in the EU, the company is still required to comply.
The protraction of “personal data”
More than anything, the GDPR is emblematic of how the world has fundamentally changed. The European Commission defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life.”
The term casts a wide net, including anything that can identify a person, such as name, address, phone or social security number, birthdate, and criminal record. Many things we would call personal data were not considered in 1995, when only 1% of the European population used the Internet.
By 2016, 85% of Europeans had Internet access at home. As technology has evolved, “personal data” has expanded to include more modern identifiers such as IP and email addresses, social media posts, and images uploaded to the Internet. There’s no comprehensive list of items that fall under the umbrella of personal data. The GDPR is purposely worded generally to allow for future technological innovation and unforeseen data sets.
With the ubiquity of smartphones, we’re constantly broadcasting our location to apps. The advent of ecommerce and today’s streamlined customer experience also means that our payment details are stored online.
This contributes to society creating (and continuing to create) more data than ever before. And with the technology available today, sophisticated marketers can essentially track our every move, knowing consumers so well they can successfully predict behavior.
What it all means
Marketers’ intimate knowledge gives people pause, but the GDPR will restrict their unfettered access to data like never before. It’s been building up for decades, but unlike previous iterations, the GDPR comes with a hefty price tag. Violators can be fined up to €20 million ($22 million) or 4% of global turnover from the previous year, whichever is greater.
It’s in marketers’ best interest to comply, which will pose monumental challenges. But in addition to the obstacles, it also provides an immense opportunity. In part two of this series, we’ll explore how greater transparency will ultimately result in greater trust, an area where the entire industry can improve.
To learn more about how marketers can seize the opportunity with the GDPR, read SmartFocus’ ebook, “GDPR: How Marketers Can Seize the Opportunity.”