The Layman’s Guide to GDPR


You may have noticed your inbox was overflowing with privacy policy updates last week. We’re guessing you didn’t take the time to read each and every one because, well, that’s a lot of fine print. But there IS a reason for the influx. Last week the deadline for GDPR compliance hit. GDPR, which stands for General Data Protection Regulation, has been on a planned rollout in the European Union (EU) since May 2016. The regulation now gives individuals power over the use of their personal data and holds organizations accountable for their data collection and usage practices.

Wondering why you should care about a regulation in the EU? The GDPR applies to any organization that does business with EU residents. So basically, if you do business online, it could very well apply to you. If you’re a US business but you’re knowingly conducting business in the EU, GDPR can and will be directly enforced by EU members/state authorities. Your business may even be required to designate an EU representative. If you’re a small business that’s not actively or knowingly doing business in the EU, rules get a bit murky. If the collection of personal data is deemed to be occasional and doesn’t risk the rights and freedoms, the inadvertent collect of personal data may be forgivable, leaving your company at the mercy of the country impacted.

So what do I need to know?

In a nutshell, GDPR requires organizations that collect personal information to better inform users about what information is being collected, and how it’s being used. It also requires them to give users more control over these actions.

Individual rights to turn access to their personal data on and off must be taken into account at every turn. It can no longer be assumed that an individual opts-in by default, consent must be obvious and well informed. Think of those LONG, jargon-filled Terms of Use and Privacy Policies. These now need to be written in layman’s terms. The GDPR also empowers individuals to withdraw, request, and even be completely erased from any and all data collection archives.

If GDPR applies to your organization, it’s best to have your own legal counsel ensure complete compliance. But if you want to get the general idea, this GDPR Playbook from HubSpot is a great place to start. HubSpot’s GDPR Playbook includes a summary of improvements, instructions for turning on GDPR functionality in HubSpot (a powerful lead-gen platform that we help manage for a number of our clients), tips for creating a GDPR strategy, and more.

Looking for just the Cliff Notes? HubSpot also offers a quick video to help you get your feet wet before jumping all the way in.

So why did GDPR happen in the first place?

We’re living in uncharted waters in this digital age. Our access to, and use of digital technology seems limitless. But with that comes a cost – a ginormous increase in the amount of personal data floating around in the digital space. The GDPR aims to bring organizations that collect personal data up to speed by modernizing outdated (pre-digital) personal data laws. The GDPR is just a first step towards a more secure digital and online world.

The timing of GDPR’s deadline may seem somewhat ominous coming on the heels of the very public data scandal with Cambridge Analytica and Facebook. As consumers, many of us have blindly clicked the “ok” button without reading through the terms of use or privacy policies. Unfortunately, once we realize what we’ve signed up for, unsubscribing or opting-out is often far more difficult than it was to sign up. The GDPR’s goal is to put the power back into the hands of the individual, while holding organizations more accountable for their data collection and use, as well as their responsibility to keep that data secure.

How will GDPR be enforced?

Since many businesses are just beginning to come into compliance with GDPR, only time will tell the long-term impact. What is certain is that GDPR will disrupt the current model of personal data as currency, and in some cases, turn it into a liability.

While this greatly limits the free reign that organizations have over individuals’ data to date, the implementation of GDPR may help restore the trust between consumers and businesses. For example, the new incentives for data protection and security have made it so that organizations can no longer wait weeks or months to report a data breach (in the EU at least) and must inform customers within 72 hours.

Failure to comply with GDPR is met with serious penalties. Fines will no longer be laughable to the bottom line; they will be based on an organization’s annual global turnover – up to 4% or €20 Million, whichever is greater. OUCH.

If those fines aren’t incentive enough to become GDPR compliant, victims of data breaches will also be empowered to file class action lawsuits. And in the end, the damage to an organization’s reputation and brand will likely be the most motivating consequence.

Is there an impact of GDPR on individuals outside of the EU?

The best place to embrace GDPR as an individual starts with all of those privacy update emails filling your inbox – open them. It’s the perfect opportunity to opt-out and remove yourself from subscriptions and subsequent data archives that you no longer need or use, most of which you’ve probably long forgotten about. This won’t have the same impact as if you were in the EU, but it’s a great place to start.

And it’s not just stuff you’ve already signed up for. Before you click “ok” and install that new app, read the Terms of Use and Privacy Policies; those under GDPR compliance should be easier to read and understand. It’s also important to be an informed digital consumer. Set up time to investigate your digital footprint a few times year; Facebook privacy settings; all those email subscriptions; saved log-ins and shopping accounts. Remember, in the US, organizations are still able to collect data under the impression that you are opting-IN by default.

What’s next for GDPR?

While GDPR has yet to be adopted by the US or the rest of the world outside the EU, it’s time for US businesses to pay attention. Individuals having rights over their own data is a cry that is growing louder by the day. Individual consumer’s data and their right to protect that data is now at the forefront of the digital conversation.

As GDPR plays out in Europe, the world will be watching. What loop holes will be found? How will organizations and consumers react to the roll out? How will it impact small businesses? Will it actually improve consumer data protection?

One thing is for sure, GDPR will change the conversation around digital data privacy – and the empowerment of consumers to be in control of their online experience is here to stay.

About Ethos

Ethos is a multiplatform branding agency that develops and executes integrated marketing campaigns across multiple channels for companies inside and outside of Maine.

At Ethos, we believe that the most effective way to set a company’s marketing course is by finding its core truth – its ethos. We know that once we discover and communicate that core truth, we can truly make a difference for each client’s unique marketing and business objectives.

With Ethos, you get more than a marketing agency. You get a long-term partner whose goals are your goals.

Learn more about the Ethos approach and the work we’ve done for our clients. Want to have a conversation about your brand’s core truth? Contact us!

Written By

The ETHOS Team