GDPR one year later: what’s changed, what hasn’t

We’re one year into the GDPR Regulation taking effect, and many marketers here in the United States are wondering – what’s changed, and what hasn’t? Before we accuse GDPR of being the latest “Y2K” scare, we at KW2 believe that online data privacy is of the utmost importance. Whether you’re marketing to current or potential healthcare patients, parents, international students, using a high-tech CRM (like HubSpot or SalesForce) to reach people or communicating to a general audience, taking privacy seriously is important. And it’s only going to become more popular in the coming years.

In this article we’ll cover what the GDPR is, what we know now that the GDPR has been around for a full year, and what to do if you’re just not sure what to do.

Recap: What is the GDPR—in 5 minutes?

The GDPR, or General Data Protection Regulation, was an attempt by the European Union to codify and enforce some basic best practices around data privacy on the Internet.

That was easy!

What user data can you store? Should users be able to ask for a record of their data? Can users ask you to hand over their data (Hey – I was using that!)? What happens when somebody’s data is used in a way that they didn’t intend for it to be used?

The regulation became enforceable in the EU in May of 2018, meaning corporations could be sued for violating the regulation starting at that time.

In short, the GDPR requires:

  1. That you get consent to gather data (ask for consent up front, rather than forcing users to opt out after the fact)
  2. If somebody wants a record of their data, you must provide it (at no cost to them and within a reasonable period of time)
  3. If a user asks you to delete their data, you must delete it (this means putting practices in place to allow total erasure of personal data from databases)
  4. If there is some sort of data breach, you have 72 hours to notify your customers of the issue

There are more details of course, but those are the big beats.

Who is the GDPR meant to regulate?

Your business is required to comply with the GDPR if you…

  1. Do business with anyone in the EU and
  2. Store user data and/or use it to communicate with them, market to them or make decisions about your business

GDPR applies not only organizations located within the EU, but who either do our could do business with anybody in the EU. The only cases where GDPR law would not apply are if you truly collect no data from users (not even Google Analytics cookies or a Facebook Pixel), and/or there’s a 0% chance any of your visitors are located in the EU.

Who is the GDPR meant to help?

GDPR is meant to help users on the Internet. You, me, and all of our audiences—everybody. Because if your users’ data isn’t secure, then neither is your own. GDPR was originally drafted and enacted to help EU citizens take ownership of their own data privacy. But now that so many websites are asking us to opt-in to cookie usage, it’s apparent how many sites store traces of our information on a daily basis.

Having one set of rules to play by helps users approach all of their privacy considerations through one lens, rather than reading every site’s privacy policy. And it helps us marketers know we’re following those rules, avoiding fines and being above board on our data collection and usage.

What happened in the last year?

Many bloggers predicted an onslaught of hefty fines as soon as GDPR took effect. While a few large corporations (Facebook and Equifax) did receive large fines, for the most part, GDPR did not break the Internet.

Now that we’re back up to speed on what this regulation is, what has happened in the last year?

  • The regulation still stands, and very little will change when/if Brexit occurs.
  • The number of reported breaches nearly doubled in the last year, showing the importance of requiring companies to notify people of such occurrences.
  • Many US companies adopted GDPR protocols as a general best practice – Thanks for the role modeling, EU.
  • Many US states (hello, California!) have adopted their own policies to protect. consumers. It’s a trend we expect to see a lot more of in the coming years.
  • Many big players formalized their data gathering, processing and deletion policies and hired data regulators to manage it all.

What hasn’t happened in the last year?

Well, for one, the sky didn’t fall. Mom and Pop websites didn’t get fined out of business. But, the big corporations didn’t get fined much either. Because everybody was incredibly compliant? Well, probably not. Remember, this sweeping change took effect across the entire EU and there are only so many regulators out there to help investigate and push these fines. We expect to see the requests and fines increase over the years as consumers have more help with enforcement and reporting.

What should you do?

If you do business with, or offer goods, services or information to, people in the EU, review the list of GDPR requirements and make sure you’re compliant. If you do business with folks in the state of California, their regulations are very similar. Shoring up your data practices is not only inevitable, it’s becoming law in more and more places.

Here are our top recommendations for marketers, but if you use and/or store a lot of user data, we also recommend you contact a GDPR consultant. If your company is large enough, consider hiring a data regulator to help you with all this.

  1. Review and update your company’s privacy policy. There are some great policy generators out there that will help you do just that, guiding you toward the right language based on what data you collect, and from whom.
  2.  Gathering user data via forms for marketing automation? Talk to your IT crew about how that data is stored, for how long, and who has access to it.
  3. Have a data deletion policy? Now’s a great time to review it, or create one. You should only be hanging onto that data as long as you need to. And, GDPR requires that you publish your storage policy.
  4. As a marketer, you are an important part of the team that decides what information is gathered and how it’s used (think sending email campaigns or running remarketing campaigns). Have a seat at the table no matter how technical these talks get, and commit to being an advocate for your users.

If you need help reviewing your policies, adding a consent popup to your site or getting in touch with a GDPR consultant, please reach out to our digital team.