On May 25th, 2018, the culmination of over six years of legislative work will officially become the rule of the land in the European Union. I am speaking of course of the General Data Protection Regulation — GDPR; aka, the first major international attempt at regulating and standardizing online data storage and its use. If you are familiar with the acronym (and if you’re here, chances are good that you are), you have probably heard that this regulation has massive implications for digital advertisers and the brands they work with — and while that is correct, it is important to understand just why that is.
Understanding GDPR
At the heart of GDPR is a desire to give EU citizens more control over their personal data. With so much of our lives (both online and off) revolving around data, and no consistent regulations anywhere in the world, the legislation is designed to ensure that all handlers of data online follow the same set of standards.
The regulation itself is years in the making: back in 2012, the European Commission began developing plans for data protection reforms in order to bring the continent fully into the digital age. In the four years following, legislators went back-and-forth on specifically what the GDPR would cover, and, nearly as important, how it would be enforced. Since December of 2015 — when the GDPR was signed — the EU has been preparing itself for May 25th, and the impact this regulatory framework is likely to have on corporations, advertisers, and consumers alike.
GDPR encourages compliance by insisting that companies handling user data implement processes and personnel to keep said data protected. It also provides for the ability for consumers to be able to control how much and what kind of personal data is stored — and to monitor and edit/delete this data should they choose. Based on the terms of these reforms, “personal data” is relatively broad in scope: it includes everything from name & address to photos, IP address, and genetic/biometric data (i.e. fingerprints).
Remaining GDPR Compliant
Compliance will be key for businesses operating in the EU; data breaches can cost handlers up to 20 million Euros or 4% of their annual turnover. While not all infractions will result in such large fines, there are some general guidelines outlined by GDPR for avoiding penalties, such as:
- Consent to store and use data must be granted by consumers to businesses in a clear, concise manner via an easily-understandable form.
- Businesses must provide an easy way for consumers to reverse consent and/or modify their data after it is stored.
- Consumers must be allowed to move data from one service provider to another should they choose.
- Parental consent is required to store data on any child up to the age of 16.
- Should a data breach occur, companies must notify their customers within 72 hours of being discovered.
How GDPR Impacts US Advertisers
Just because a company is based in the US doesn’t mean it won’t feel the impact of GDPR. Any company doing business in the EU must comply with GDPR for, at least, the EU portion of its business. GDPR legislation protects consumers — specifically, EU consumers — regardless of the country of origin of the business they are working with.
This presents a unique challenge for both multinational corporations and, say, domestic digital ad agencies with clients targeting consumers in both the US and overseas. In order to be compliant, US-based companies can either choose to completely block all traffic coming from the EU (and stop active campaigns there), maintain entirely separate business practices in the EU vs. the rest of the world (a costly approach), or bring their entire operation up to GDPR compliance, even though they aren’t technically required by any regulations to do so in their home country.
Finally, there’s the question of how the EU would even enforce GDPR violations (read: potentially billions in fines) on US-based businesses, particularly on those without physical footprints within Europe itself. Cases such as these muddy the waters in terms of enforcing the stiff penalties; though, given the strong relationship between EU and United States, domestic companies should probably think twice before considering not abiding by GDPR regulation if they are doing business in Europe.
Predicting the Future of GDPR
While the General Data Protection Regulation is currently only set to be the rule of law in the European Union, don’t think that legislators here in the United States won’t be paying attention to see what happens after May 25th. US data breaches have hit an all-time high — and domestically, there are still no unified regulations, best practices, or even bare-minimum precautions that data handlers are taking nationwide. This leaves consumers both weary of providing data online and at great risk — both of which the GDPR looks to help alleviate — which is why it wouldn’t be surprising at all to see the US being working on similar legislation sometime after the month is over.
