As data users, we should be used to the fact that we work in a field of information that’s rapidly changing. Every once in a while, something big happens that stirs up the community and creates significant changes to how marketing, be it analog or digital, is done. That’s what happens when Google pushes big algorithm changes, or when automation become ubiquitous, or when personalisation, data research, or social media marketing became the buzzwords of the year.
The industry reacts to these new advancements. It incorporates them, and it learns to use them to achieve its various goals. But the industry isn’t the only thing that’s reacting. There are also legislative bodies with the power to create rules and regulations that affect how the marketing industry conducts its business and how it interacts with people.
In 2017, the big change that’s less than a year away comes from one such legislative body, or two to be exact — the European Parliament and the Council of Europe. Together, the two EU’s legislative bodies have developed Regulation (EU) 2016/679, also known as the General Data Protection Regulation, or GDPR for short.
What Is the GDPR?
The General Data Protection Regulation is legislation, set out in 99 articles, that aims to regulate how, why, and when are EU citizens’ information processed, accessed, or manipulated in any other meaningful way. It’s a law that was made with the aim of enforcing higher standards of privacy, security, and transparency in the context of data gathering and analysis.
At its core, the GDPR is about EU citizens’ rights to have their data processed in a safe way. Of course, the rules created to ensure the safety of citizens’ data are bound to affect those who process the data, as well as those who order the processing. In an increasingly digitalised world, that means — almost every organisation that does business in the EU, or that offers services to EU citizens. It doesn’t help if the organisation is based abroad, if it wants access to the EU market, it will need to comply with the GDPR.
The legislation entered into force in May 2016, with enforcement set to begin on 25 May 2018. Organisations were left with two years to ensure that they comply with the new standards before they are enforced in 2018. Those that don’t will suffer penalties.
Why Now, and Why at All?
The GDPR is not the first set of rules that regulate usage of individuals’ data in the EU. The rules we’re operating under until the GDPR steps on the stage are those stated in the Directive 95/46/EC, also knowns as the 1995 Data Protection Directive. Individual countries within the EU might also have their own rules and regulations regarding data usage and safety.
But let’s take a moment to acknowledge one simple fact — the last time the EU passed some form of data protection legislation, the world was a very different place. The 1995 DPD was issued before there was Google, or Facebook, or smartphones, or PayPal. It was a completely different marketing landscape, and if there’s one thing we didn’t do as much back then, it was collecting data.
The GDPR builds on some of the guidelines set forth in the Directive, which certainly means that the people creating the Directive more than 20 years ago had the good sense to set good rules for the future, at least in principle. But what they didn’t know at the time, and what no one else knew, is just how much data will be gathered in the future.
It was equally as hard to foresee how many people will be affected by data breaches in the future. The more people use the services and products that require some form of personal information, and the more types of information required, the more will the potential for damage from breaches increase. And that’s not mentioning the fact that the number of victims of virus attacks, malware attacks, and other harmful activities is increasing.
There’s a good reason why, in an interconnected world, security and privacy are two of the top concerns. Even though tougher regulations, as put forth in the GDPR, will make business work hard to meet them, it’s important to remember that there’s a common interest of all parties involved — the legislators, the individuals, the businesses — to keep data safe. It’s just that the businesses are the ones who’ll have to do the work to make it happen.
This legislature, which was in the works for four years before it saw the light of day, is an attempt to create more robust protections that will be able to tackle the problems individuals and businesses face today. And, because it’s not a directive but a full regulation, the GDPR will make compliance regulations much more uniform across different EU states, which wasn’t always the case with the Directive.