The European Union directive declares data privacy to be a fundamental human right that American companies ignore at their peril.
When you first hear about the GDPR, you might think that it’s an EU thing and it doesn’t apply to American companies with no services in Europe. But that’s not the case.
The GDPR boils down to the fact that if any EU citizen accesses your site and leaves a data trail, it affects you. No matter where your home office is, or where you store or process the data, it counts. This could be a game changer for companies across the globe.
Gone are the days where adding a cookie consent banner is a catch-all strategy to ensure compliance. After four years of debate, the EU has finally approved the General Data Protection Regulation (GDPR) which is effective May 25, 2018.
Even if your site has no traffic coming from the EU at all – your analytics providers, marketing partners, hosting services, and other parts of your web infrastructure will be impacted, and therefore so will you.
We recently received an email from both Google and Slack notifying their users how they will be updating their policies and procedures to comply with GDPR. As users of both, we need to understand what changes they are making. We expect to receive more of these emails over the coming weeks.
We want to stress that GDPR is a complicated set of legislation that the EU will put into effect and enforced on May 25, 2018. We are providing a brief summary, our interpretation, of some of the most critical aspects that we believe will impact US companies. This article should not be construed as legal advice and as with any legal situation, you should consult with your legal counsel. We encourage you to do your own due diligence and perhaps read the GDPR Directive itself.
A Closer Look at the GDPR
Take a minute and read, then reread, this statement about the GDPR Directive: GDPR declares that Data Privacy is a fundamental human right that is the responsibility of all governments to recognize and protect.
The European Union rejects the concept that data collection is just a function of marketing, technology or IT. Data privacy will be held on the same human rights plane as the right to live, right to education, freedom of expression, and freedom of religion. (Preamble, Sec 4).
With penalties starting at 4% of annual global revenue or $28 Million/€20 Million (whichever is greater) it’s worth taking seriously.
As with any change to legislation, there are some common misconceptions already surfacing around the GDPR Directive. We address these below:
5 Common Myths around GDPR
1. GDPR only applies to companies with a physical presence in Europe.
No. GDPR is designed to protect the people who live in Europe, but it does not exclude companies with a physical presence outside of the EU.
2. GDPR affects only data in Europe
No, any rules from GDPR must flow with the data. The rules are attached to the data not the location of storage or processing.
3. Marketers will need to get all new consents from all of their users
Not necessarily. If brands have already gathered consent in a GDPR compliant way, that is sufficient.
4. Right to be forgotten is absolute
No. Companies may have legit business reasons to keep data (for instance, legal or tax records).
5. Just obtaining consent is acceptable
No, obtaining consent from a user in order to allow them to use your site (ie purchase something, download media or view content) may not be considered consent, even if they click a consent button.
As global organizations brace for all of the changes that they may need to implement in order to be compliant with GDPR, Adobe is helping out brands get there by ensuring that Adobe products help with this journey. In our next post, we will discuss how Adobe is addressing these new regulations to help its customers comply. You can read more from Adobe here.
In the meantime, we encourage all organizations to become familiar with this statute and take steps toward compliance. How this will play out in terms of enforcement in US courts is yet to be determined; however, even if US courts will not enforce this regulation (it remains to be seen how a case against would play out), companies need to be mindful of the very real impact that the GDPR legislation and impending action might have on future plans, incidental business dealings, and the travel of company officers.
The GDPR Directive can be found here.