The EU’s General Data Protection Regulation (GDPR) goes into effect May 25, 2018. That’s only six months away, but I’m surprised by how many publishers don’t know about GDPR, don’t think it affects them, or they think they’re compliant, but they’re not.
We’d much rather focus on the fun part of publishing: creating great content, building our audience, and growing revenue. But legal compliance is now a core requirement of doing business online and GDPR takes online privacy to an entirely new level.
What is GDPR?
At its core, GDPR is a new set of European Union consumer protection regulations designed to protect the data privacy of EU citizens. The UK is also included … even with Brexit.
But don’t think this only affects publishers with an office or headquarters in Europe. The EU-US Privacy Shield Framework and the Judicial Redress Act mean that even U.S. companies could be subject to certain class action lawsuits from Europe related to GDPR.
GDPR is built on the concept of “privacy by design” and goes way beyond both the U.S. CANSPAM and the Canadian Anti-Spam Law (CASL). It requires publishers to get affirmative consent from someone prior to collecting ANY data about them. It also requires that you keep a record of such consent and give the individual the ability to revoke consent at any time, and to access, correct, or completely erase ALL data you have about them.
Editor’s note: WNIP recently attended a closed session with Gabriel Voisin, a specialist data lawyer at law firm Bird & Bird. His overview slightly differs from the author of the above piece, not least the significant difference between B2B and B2C data collection/storage. We would recommend Gabriel and Bird & Bird strongly for any publisher looking for GDPR clarification.