GDPR Compliance: Informed Consent Required

“Content Marketing” by Luis Osorio from Flickr (Creative Commons License)

The General Data Protection Regulation (GDPR) is the new law aimed at protecting individuals’ privacy and their personal data. All companies that send commercial emails to any person living in the EU must comply with this law when it goes into effect on May 25, 2018 – including non-EU companies.

If you collect or process personal data from any natural person residing in the EU, the GDPR requires you obtain the person’s specific, informed consent that unambiguously indicates the person’s wishes or it must be given by a clear affirmative action.

When you collect a natural person’s (aka data subject’s) personal data, the GDPR requires you to do the following:

  • It must be done lawfully, fairly, and with transparency.
  • Data must be collected for a specific, explicit, and legitimate purpose.
  • The data collected must be limited to the data necessary for the purposes for which it will be processed.
  • You must erase or rectify inaccurate data without delay.
  • You must keep the data for a period that is no longer than necessary for the purpose for which it will be used.
  • You must protect the data subjects’ personal data with appropriate security measures.

Requiring specific informed consent, means you can’t hide the consent information in your terms of service. The data subject has to know what they’re signing up for and give their explicit consent to use their data. If you give people who visit your website the option to add themselves to your mailing list, that, since you won’t know where they live (especially if all they’re providing you is a name and email address), the sign-up form should comply with the GDPR requirements.

I suspect it also means that dropping your card in the bowl to try to win an iPad at a booth and a conference won’t be sufficient to establish explicit consent to add a person to your email list unless there’s verbiage adjacent to the bowl that doing so is a clear affirmative action of consent. Hmm . . . perhaps event organizers who have EU attendees should provide their expo vendors information about obtaining consent under GDPR.

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

Preparing for GDPR: Are You Ready?

Europe Privacy Law GDPR from Smeders Internet

This year, I’m putting considerable energy into understanding and complying with the GDPR.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European law that goes into effect on May 25, 2018.

It impacts any professional commercial activities regarding natural persons residing in the EU, so that includes process personal information about natural person who lives in the EU, or sending commercial emails to any natural person who lives in the EU. Commercial emails include the offer of goods or services, even if you’re not doing it in exchange for money.

The purpose of this new law is to protect natural persons’ personal data, and it includes provisions about obtaining data subjects’ consent and using adequate security to protect their information. Failure to comply could result in millions of dollars in fines.

Who is Exempt from GDPR?

The GDPR does not apply to anyone who stores or uses person’s data for personal use – like if you maintain a personal database of contacts, and some of them happen to be people who live in the EU.

It also doesn’t apply to anonymous persons or dead people.

Complying with the GDPR

I have read the GDPR from cover to cover (260 pages). A significant amount of my work in early 2018 will be related to GDPR compliance – starting with my own company

My rule for my email list is people add themselves. It’s disrespectful when companies add you to their email list without consent, so I don’t do it. As a result, I have no idea where most of my subscribers are located. I have assume at least one of them is a person who resides in the EU, therefore the GDPR applies.

For the next few weeks, I’m going to be breaking down this law into it’s requirements and applying them to my business so I can, in turn, educate and help other companies modify their policies and practices before the law goes into effect on May 25, 2018.

This is not a law that companies can easily comply by adding a new paragraph to their terms of service. It will change their tactics and approach to content marketing.

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.