On Friday, the General Data Protection Regulation (“GDPR”) officially comes into effect. This means that all companies – fashion and non-fashion, alike – that collect any data “relating to a … natural person” that is a European Union citizen, including names, email addresses, and even IP addresses, are required to comply with strict new rules. Companies that fail to comply with the provisions of the GDPR by Friday, May 25 will face fines that could be as great as $24 million or 4 percent of their worldwide annual revenue, whichever is higher.
The GDRP – which replaces the Data Protection Directive 95/46/EC as the EU’s latest effort to protect the personal privacy of its citizens – aims to harmonize data privacy laws across Europe, in order to “protect all European Union citizens’ data privacy, and to reshape the way organizations across the region approach data privacy.”
Many of fashion’s most prominent brands, retailers, and creatives live and work in the EU, making the applicability of the GDPR to them and their businesses very obvious. However, it is worth noting that companies and individuals in the U.S. and any other country that is not within the 28 EU’s member states, are also subject to the union’s new directive if they:
1) Have a presence in an EU country, or 2) Do not have a presence in the EU, but process personal data of European Union residents; and 3) Have more than 250 employees; or 4) Have fewer than 250 employees but employ data-processing that: impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
In short, as Michael Wade, the Director of the Global Center for Digital Business Transformation, puts it, “Businesses and people who don’t live or work in the EU aren’t immune. Anyone who has customers [or in the case of publications/bloggers, readers] in the EU, or works with information processors in the [European Union] bloc, is subject to the GDPR.”
In order to ensure compliance with the GDPR, brands, retailers, bloggers, and influencers, alike, must require both new – and existing – website users, e-commerce shoppers, newsletter subscribers, etc. to consent to the collection of their data going forth, whether it be their names, mailing addresses, credit card information, and/or some other form of even very “basic identity” information.
As noted by security and risk management site CSO, “The GDPR takes a wide view of what constitutes personal identification information. Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for names, addresses and Social Security numbers.” The regulation further states that companies must provide a “reasonable” level of protection for personal data (but does not define what constitutes “reasonable”).
One of the simplest ways of achieving this is by way of an updated “notice and consent” form on websites where companies (or individuals) are seeking to collect user data. Such a form should “explain in simple terms to customers what data you are collecting, how you are using that information,” and how it is being stored. Companies should also include “an easy way for people to opt in to their data being collected and stored.” If existing users choose to opt out, all of their existing data that a company is storing must be deleted.
The same goes for companies that maintain mailing lists, either by way of electronic or post mailings.
The widespread applicability of the regulation and the heavy fines that can come with non-compliance, make the GDPR something that a significant number of industry entities – from brands and retailers to influencers and bloggers – will be affected by.
According to Mr. Wade, “Advertisers, particularly those relying on online promotion, will be severely curtailed. For example, GDPR will require them to gain explicit consent for every cookie they want to use, thus affecting any media or marketing business that uses retargeting, that is, tracking consumers and reminding them through advertising of sites they have previously visited.”
“They will have much less freedom,” he says, “to combine data from different sources and build targeted campaigns to specific groups of individuals.”
“The GDPR is also likely to curb the ability of digital giants such as Facebook – including its services WhatsApp and Messenger – and Google – including Gmail – to collect and use consumer data, restricting them from targeting ads based on external data.”