As I am sure you are aware, in May two new regulations related to personal data are coming into force: the General Data Protection Regulation (GDPR) and the reform of the Organic Spanish Law on the Protection of Personal Data (LOPD, in Spanish). As predicted when we talked about the public relations trends for 2018, these legal changes are of concern for the heads of marketing and communication of many companies. But what do they involve?
How will GDPR and the new LOPD affect marketing?
The news of the GDPR
The General Data Protection Regulation (GDPR) is a community regulation that regulates the treatment of personal data in all European Union countries. Although everyone talks about the “new GDPR that goes into effect in May 2018”, this legislation was actually passed in April 2016. However, member states have had two years to adapt to the new regulations and after May 25th of this year it will begin to be applied effectively, with sanctions included.
It will be the first time that all EU countries have a common legislation on the protection of personal data, which is good news for citizens. However, the changes implied by the GDPR means companies will need to adapt their marketing and communication activities. These are some of the main novelties of the regulation:
- To be able to process personal data, companies must obtain the explicit consent of the users. This means that, for example, companies will not be able to add to their database e-mail addresses which have been found on web pages.
- Companies will have to explain to the users how, for what and for how long they will treat personal data in a concise, transparent and easy way to understand. Therefore, the typical Legal Notice written that no one understands will no longer be enough.
- Companies can only obtain consent for the processing of personal data of users over 16 years old. However, the GDPR allows different countries to lower this age of consent, as we will see later when talking about the LOPD.
- Companies must report any breach of data protection within a maximum period of 72 hours, both to the corresponding control authority and to users who have been affected by a theft, unauthorized access or illegal use.
- Companies will have to appoint a Data Protection Delegate in charge of managing all the aspects related to the data of their users. This delegate may be an employee or this can be contracted out to an external company.
- Compliance with the GDPR will be mandatory for all companies that process data of EU citizens, even if they are not registered in a European country. In case of default, fines can reach up to 20 million euros.
- If personal data is shared with other companies, both parties must ensure that they also comply with the GDPR, as either may be sanctioned for possible infractions (for example in the case of e-mail providers or co-marketing campaigns).
To read the full text and get more information about the GDPR, click here.
The changes of the new LOPD
For its part, the new Organic Law on Data Protection (also known as LOPD 2018) is the reform of the Spanish data protection legislation that has been in force since 1999, although half of Spanish companies still do not comply with it. This modification was submitted in November 2017 to adapt the LOPD to the new requirements of the GDPR.
However, the reform of the LOPD has not been approved yet. The approval is expected to arrive in May 2018, coinciding with the application of the General Data Protection Regulation. The new LOPD reflects the provisions of the GDPR, but with some differences:
- In the case of Spain, the age of consent for the processing of personal data is established at 13 years (not at 16 years old as in the GDPR).
- It will no longer be necessary to register the data files in the registry of the Spanish Agency for Data Protection, but a register of treatment activities is established for companies with more than 250 employees or that deal with sensitive data.
- Companies must communicate to the corresponding control authority the person they have appointed as Data Protection Delegate in the company and facilitate their contact. This delegate must have the appropriate qualifications to apply the law.
- Family members or heirs may access, modify or delete the online contents of deceased persons (for example, web pages, blogs or social networks) provided that the deceased have not arranged anything else in their will.
- Before sending a commercial communication, companies must verify that the recipient is not on an advertising exclusion list (the so-called Robinson Lists).
To read the full text and get more information about the new LOPD, click here.
Do you think that the GDPR and the new LOPD will better protect personal data? Comment on social networks!