What Does GDPR Really Mean for Marketers?
In May 2018 the European Union’s new General Data Protection Regulation (GDPR) law will become effective. The regulation is intended to strengthen and unify data protection for all individuals within the European Union (EU). It will have an impact on all marketers who do business with people in these countries. Therefore, if you have at least one EU contact within your databases, you need to pay close attention to the GDPR and your revised compliance obligations.
Don’t Panic… Prepare!
We’ve prepared a selection of resources which address important issues that many marketers like yourselves are wondering about as GDPR takes shape in order to help you get started on becoming completely GDPR compliant.
What is GDPR?
GDPR is a comprehensive law which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for EU residents. This law replaces the current EU Data Protection Directive (95/46/EC) with additional requirements that you need to adopt in your marketing and data management objectives in order to be fully compliant. The new EU data protection laws extends the scope of the EU data protection law to all companies even outside the EU when they process data of EU residents.
About GDPR for B2B and B2C
GDPR compliance and adoption makes no distinction between B2B and B2C organizations. . Even though PECR (Privacy and Electronic Communications Regulations (UK ) allowed soft opt-out approach in email marketing, the new ePrivacy Directive is under review and is going to align with the GDPR.
More on the PECR: https://ico.org.uk/for-organisations/guide-to-pecr/
When will GDPR be enforced?
GDPR will officially apply from 25th May 2018, at which time those companies or organisations in non-compliance may be subject to fines and other additional consent requirements.
Important to note: There has been communication that there will be no grace period for compliance actions to begin.
Who does GDPR apply to?
GDPR applies to persons and entities of all sizes that process personal data of EU residents, regardless of where they are based. These regulations apply to both data controllers and data processors, including third parties such as cloud providers. Under the GDPR Act-On is a processor and our clients are Controllers.
Where does GDPR apply?
It applies to all EU member states and to entities and organizations outside the EU when processing the data of citizens within it. If you have EU data citizens on your files and they reside outside of the EU you are still obligated to comply.
Does Brexit affect the ruling of GDPR?
No. GDPR comes into effect before the UK officially leaves the European Union on March, 29th 2019. The UK has communicated that they will adopt the GDPR prior to the Brexit being finalized.
What are the penalties for non compliance with the GDPR?
The maximum penalty for organizations in non-compliance with GDPR can be up to €20 million or 4% of annual global turnover, whichever is greater. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
What does Act-On do to help make me GDPR compliant?
While we are not in a position to legally advise your on your GDPR obligations, under the GDPR we serve as the Data Processor and you are the Data Controller. We process the data based on your instructions. We will provide you insight on how to adopt your approach to GDPR compliance using our services.
How can I get more information on GDPR and Act-On?
If you have additional questions or need additional information please email: firstname.lastname@example.org and we will be happy to help.
How are Act-On's GDPR preparations progressing?
As we enter 2018 we are well under way for GDPR adoption. Many areas of GDPR requirements have been addressed, with specific notation guidance from the UK ICO, which includes:
- An extensive third-party review of our business operations and GDPR obligations via TrustArc.
- Implementation of our interdepartmental GDPR Working group encompassing all functional areas of our business
- Comprehensive employee awareness training of GDPR and the implications of non-compliance
- Ongoing commitment to global privacy laws including EU-US Privacy Shield certification and the opportunity to provide Model Contract Clauses if requested for our EU clients.
- Third party contract reviews and written vender acknowledgement for compliance obligations pertaining to processing activities that support our operational business activates.
- Evaluation of possible GDPR vendors to automate specific GDPR requirements, including but not limited to Article 30 and also Data Subject rights.
- Continued client communication outreach and industry thought leadership.