To understand what led to these emails and fines, we have to first understand the basics of the GDPR and get an introduction to GDPR.
The basics and an introduction to GDPR
The GDPR is a European Union (EU) law whose primary purpose is the protection of the personal data of citizens and residents of the EU as well as Iceland, Liechtenstein, Norway, and Switzerland. In the context of the GDPR, these residents are called data subjects.
All data subjects are entitled to certain rights over their personal data, such as the right to know what data a business collects about them, the right to access this data, and the right to request that this data be deleted (i.e., the famous right to be forgotten).
Because of how the scope of the GDPR is written, these rights must be respected regardless of where the company is located, meaning that the law has extraterritorial reach. In other words, the GDPR applies worldwide to any company that targets data subjects.
For example, China Airlines, despite being headquartered in Taipei, would need to comply with the GDPR because it targets EU users (both by flying to EU nations as well as offering their website in European languages).
Now that we understand the what, who, and where of the GDPR, let’s learn about the key concepts at the heart of the GDPR, namely: transparency, consent, privacy by design, and data minimization.
Transparency here means that data subjects should be able to easily find out what information a business collects about them, why they collect it, and with whom it may be shared. Previously, businesses could get away with hiding their data practices in legalese. But not any longer — and this privacy revolution is not just limited to the EU.
Nations worldwide are passing privacy laws to bring in transparency to data processing practices and to give people more control over their data, for example, Brazil (Lei Geral de Proteção de Dados Pessaoais), India (Personal Data Protection Bill), and the US (California Consumer Privacy Act).
Consent is an important concept to understand and practice under the GDPR, especially for marketers. Before collecting subjects’ personal data, companies need to obtain consent that is both free, affirmative, and valid, that is, not obtained through coercion or trickery. To satisfy this need for affirmative consent, marketers worldwide contacted their mailing lists in May of 2018, seeking permission again from data subjects (this time, in a GDPR-compliant manner) to send promotional emails.
Privacy by design and data minimization
While transparency and consent have to do with data subjects, the concepts of Privacy by Design (PbD) and data minimization mostly have to do with how businesses design their data processing systems.
PbD refers to making sure that data security and privacy are considered at each step of a company’s processes and systems, whereas data minimization means collecting only the data that is essential to perform a given task or service.
For example, to deliver a newsletter, you only need an email address. Applying the principle of data minimization, collecting any other piece of information, such as name, gender, or age would be unnecessary unless you’re running gender- or age-specific email marketing campaigns.
Enforcement and fines
The gargantuan task of implementing the GDPR across the EU is assigned to enforcement agencies known as Supervisory Authorities (SAs). Each nation in the Union has one. For example, the Information Commissioner’s Office is the SA for the United Kingdom (probably not for much longer though), and the Data Protection Commission is the SA for Ireland.
These two SAs have been particularly active in investigating GDPR violations and handing out fines. The biggest fines to date were outcomes of investigations by the British SA. In fact, the Irish SA may break that record, with billion dollar fines on the horizon for Facebook, Twitter, and Whatsapp.
With precedent set and data subjects becoming increasingly aware of their rights, the second year of the GDPR is poised to see even more fines for non-complying companies, and that may include you and your company.
Don’t let your business become a casualty of this new law. To help you familiarize yourself with the basics of the GDPR, here’s an infographic that covers the key concepts and provides you with an introduction to GDPR.
This infographic was created by Termly.