This is the second part of my presentation of the GDPR (General Data Protection Regulation), adopted by the EU on 24 May 2018. You can read the first part here. No matter the size of the companies, small, medium or big, the new provisions shall apply to all the institutions and companies that process personal information of the consumers in the EU. According to a survey conducted by MKOR Consulting, more than one third of the Romanian companies were not familiar with GDPR at the beginning of the year. On the other hand, however, almost two thirds of the Romanian companies had already updated their internal processes or were in the process of updating with GDPR before the deadline. According to the size of the company, the budgets allocated to the implementation of the new provisions vary from EUR 1,000 to EUR 10,000. According to the new GDPR provisions, many marketing strategies, such as the use of cookies (codified texts withholding the users’ preferences for a certain website) or pre-checked cases allowing the receipt of promotional materials will have to be adapted to observe the privacy and confidentiality of the consumers. Another major implication is that enterprises will have to use SSL certificates (protocols encrypting the exchange of data via the Internet) to increase consumer security in the online environment when they enter personal information on the company website. Also, certain aggressive methods of direct marketing, such as the abusive sending of newsletters or text messages without the users’ prior consent, may generate legal problems to the company, besides affecting the brand image. Therefore, personalized adverts will become less accessible marketing actions given the increase in the budget necessary to their implementation; however, on the other hand, the quality of the personalized messages will considerably increase and will become a premium category for many traders. Increasing data security will also require renewing or changing the data storage infrastructure, which will lead to increasing user costs. The relation between marketing and data security will substantially determine the evolution of the budgets and the traders will have to come up with innovative ideas of promotion and to adapt to the new requirements.

What Needs to Be Done?

Of course, these provisions have crucial implications to Romanian companies, especially startups, which, the same as their EU counterparts, are not fully prepared to get in line with GDPR. Although this new law, which is one of the most important decisions by the European Parliament over the last 20 years, does not stand for a radical change in respect of consumer protection, fact is that its implementation will require many resources, both financial and human.

GDPR - General Data Protection Regulation – is an initiative proposed by the EU in 2012 to replace the 1995 Data Protection Directive, that came into effect on 25 May 2018. These new regulations reflect the need for protection in respect of the personal data of the EU individuals, against the background of skyrocketing growth of the digital technology consumption. The events such as the 2015 viral campaigns or, more recently, the scandals involving Facebook have created an opinion trend in favor of this kind of regulations.   How can Romanian companies get in line with these new GDPR regulations? Firstly, it is important to understand clearly what these new laws involve, as they will affect not only the businesses in the European Union, but also the ones outside it.

Brief Description

In order to facilitate a detailed explanation of these provisions, we’ll refer to terms such as:

• Personal Data - include, without limitation, confidential and personal information, such as first names/last names, physical or email addresses, identification documents, payment means, localization data, political opinions, religious or philosophical beliefs or data related to the physical looks of a person.
• Data Processing – includes, without limitation, collection, storage, consulting, changing, using or sending, as well as deletion and destruction of the personal data mentioned above.
• Data Encryption – Represents the process of securing the sending of confidential information between institutions or companies and citizens, using advanced encryption technologies (mathematical algorithms).

The GDPR initiative is meant to offer increased transparency and security in the process of data processing and encryption for the EU citizens in the online environment. The regulations require the companies that provide services to individuals in the European Union to inform the consumers in respect of the personal data processing methods and the purpose for which such data will be used. At the same time, this initiative brings about value and credibility to a brand, considering the extent to which the present day consumer appreciates the confidentiality of its actions in the online environment. Very many big companies, even some startups, had complied with these regulations long before they became effective. Nowadays, however, the EU will make sure that all the companies will implement, in a transparent manner and in full, these provisions, which will improve the relations between consumers and suppliers. We all know Apple’s Safari 10, the new version of web navigator, was a big success in 2017. It offers the possibility of blocking the unwanted personal data monitoring and also other facilities as the automatic starting of the video content on the page, which may be classified as aggressive marketing.

The New Provisions and Their Importance

The new provisions should not alarm any operator (private legal entity), as they have been prepared not only to the benefit of the users, but to the benefit of companies or other organizations. The provisions have been developed based on Directive 95/46/EC, which was abrogated once the new GDPR has come into effect. It’s true that these provisions will substantially affect the marketing and operational strategies of all. Following is a summary of the provisions:

• Any entity that processes the consumer data in the EU, including third parties, may be liable to prosecution if these provisions are infringed.
• When an individual does not want their data to be processed by an operator (company/institute), the information must be destroyed, on condition that there are no reasonable grounds to keep it.
• If they process on a wide scale confidential information for a big number of consumers, the operators are obligated to designate an expert in personal data management (small and medium size companies are exempted from these provisions if the data processing is not an essential part of the their business).
• The operators are obligated to report to the national supervisory authorities any serious violation of these new regulations immediately.
• Parental consent is necessary for the children under a certain age to be able to use social networks (the age criterion varies from 13 to 16 years, according to the specific laws of each country).
• Individuals are entitled to the portability of their data, which allows for the easy and convenient transfer of their personal information when they change services between suppliers.

Of course, the law provides for more than just that and any company dealing with businesses in the tech-online class should seek for the advice of a specialized law firm. To many companies that have already developed online marketing strategies in keeping with the old regulations, the new law does not necessarily bring about major unforeseen aspects. You can find some considerations on the impact GDPR will have on Romanian companies here.