The countdown is on: Only two months are left for companies to ensure they are in compliance with the European Union's General Data Protection Regulation (GDPR), set to be implemented on May 25. The regulation will apply to all businesses that hold and process personal data collected in the European Union, regardless of those businesses' industry or location.
A bit of history: before GDPR, the EU relied on the 1995 Data Privacy Directive, which proved difficult to enforce, and compliance levels varied across the EU. Although countries like Germany and the Netherlands employed rigorous controls, some countries had virtually no controls whatsoever. The GDPR is designed to tackle that issue and ensure all countries deploy comprehensive controls to keep EU residents' and visitors' data safe.
The new GDPR rules are in the form of a regulation—imposing data protection standards that should, in theory, be the same in all 28 EU member states.
GDPR is serious business, and US companies and CMOs need to understand the huge impact it will have on cybersecurity and business operations as a whole.
What is GDPR?
There is a lot of misinformation out there about GDPR, so let's start by defining it. The GDPR is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. The deadline for full compliance is May 25, 2018. Those that do not comply risk being fined up to 4% of their annual revenues, up to €20 million.
Does GDPR apply to data already in use by an organization?
A common misperception is that GDPR applies only to data collected after May 25, 2018. That is false. Existing customer data may become largely obsolete once GDPR comes into force, because individuals must give an explicit opt-in—they must expressly agree to allow an organization to contact them—before they can be marketed to.