It’s been a little over a month since the European Union’s General Data Protection Regulation, or GDPR, became law. The statute, taking effect on May 25, 2018, launched a slew of privacy update emails and last-minute data wrangling efforts from various companies across the globe. It has since inspired similar regulations, most recently California’s California Consumer Privacy Act of 2018 (AB 375). Additional regulations, originating from different countries or states, could be on the way.
Why all the hubbub?
There are a few reasons why GDPR inspired so much scrambling and continues to do so after its implementation. First, it affects companies on a global scale. Second, it shifts an organization’s control over collected data from companies to individuals. Third, organizations can only collect data on an individual if they actively ask the individual for consent or if that individual has a legitimate interest in that company’s dealings.
Not only that, but organizations also need to clearly explain why they are collecting data and what for. Companies will need to demonstrate they can easily delete collected data if either A). an individual requests it or B). if the data is no longer relevant to the reasons it was initially collected in the first place. Data cannot be kept indefinitely for no particular reason.
The central issue, and why this regulation impacts companies across the globe, is that it regulates any data belonging to any E.U. citizen, regardless of where that data, or the company using that data, resides. If, for example, a company hosts an E.U. citizen’s data in Canada, that company still needs to comply with GDPR or risk up to 4 percent of its global revenue.
So, yeah — GDPR is a big deal. And both companies and governments are still trying to wrestle with both its implications and its enforcement.
Ultimately, though, GDPR is good, even if it’s still unclear to many. It empowers individuals to control their data and gives companies the scaffolding they need to shift their marketing and data retention policies to focus on individuals who are actively interested in what a company has to offer. Think of GDPR — and similar legislation — as an opportunity to both better organize your data and shorten your marketing funnel by engaging with folks who are genuinely interested in your business. It’s an invitation to stop interrupting and start engaging by putting your audience’s interests first.
