The four letters you may not want to hear, but will: GDPR
If you checked your inbox lately, you’ve probably seen emails like the ones below. Yes, the General Data Protection Regulation (GDPR) is upon us and organizations are reaching out to customers to confirm consent to ‘staying informed’.
After four years of preparation and debate, the GDPR was approved by the EU Parliament on 14 April 2016. Following a 2-year post-adoption grace period, GDPR will become fully enforceable throughout the European Union.
The Enforcement date, as many of you know, is 25 May 2018. In a few short weeks, organizations in non-compliance may face heavy fines if they fail to be compliant by that deadline. What kind of penalties you wonder? Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of ‘Privacy by Design’ concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. PII – Personal identifiable information – is at the core of the regulation. PII can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address (see more here).
Non-PII data examples are a company registration number or a generic email address such as ‘email@example.com’ and anonymized data (used by many analytics tools by default).
We are curious what kind of 'getting consent' examples you have seen on websites or in emails. And is your organization confident you comply with the upcoming regulations? Let us know in the comments!