The General Data Protection Regulation (GDPR) is a European Union (EU) privacy law that will affect businesses around the world when it goes into effect on May 25, 2018. It’s intended to protect the personal data of residents of the EU. If you do business primarily in the USA, this doesn’t directly pertain to you, but if you happen to collect email list subscribers that live in the EU, for example, you are potentially subject to the regulation with regard to how you store and use any collected information.
The GDPR offers broad privacy, transparency and control to EU residents and promises the “right to be forgotten“. This gives individuals the right to request any personal data you are storing, know exactly how it is being used and requires businesses to delete the data if requested to do so. Notably, this consent requirement is exclusive of any other terms or conditions you already have with the contact… so saying that one of your email list subscribers is “already a client” or simply “opted-in” does not necessarily suffice for GDPR compliance.
You may have already noticed that many of the online services you use, such as MailChimp and Slack, have emailed customers and posted their own GDPR compliance plans. MailChimp, for example, has instituted “GDPR-friendly” opt-in forms, which include an explicit consent checkbox and suggested language that explains why the data is being collected.
Again, this won’t immediately be an issue to businesses that operate primarily in the USA, but in light of the recent Facebook data breach, it’s likely just a matter of time before similar (but likely heavily watered-down) data-protection rules are instituted here, so probably it’s not a bad idea to review your processes now. I’ve added a data-collection practice review to my to-do list for this quarter.
Here’s a few good “explainer” resources: