• by Jess Nelson , September 28, 2017

Enterprise companies can expect millions in fines next year if they continue to ignore the looming implementation of GDPR.

The General Data Protection Regulation (GDPR), an EU data privacy act, will be executed on May 25, 2018 -- fewer than eight months away. GDPR strengthens the data protection and privacy rights of citizens living in the European Union, and affects any company utilizing European residents’ data in any way.

A majority of privacy professionals have not begun GDPR implementation, according to a new study from privacy compliance company TrustArc. The report addresses the readiness of UK- and U.S.-based organizations with a minimum of 500 employees to comply with the May 2018 GDPR regulations. 

The study suggests that 61% of U.S. respondents had not begun GDPR implementation as of May 2017, while 64% of UK respondents had not begun GDPR implementation as of August 2017. Four percent of U.S. respondents had not begun the process of becoming compliant at all. 

Most companies will be turning to outside resources such as consultants and technology over the next eight months, with 98% of U.S. respondents and 92% of UK respondents acknowledging the need to invest in resources to help prepare for the May deadline.

Darren Abernethy, senior global privacy at TrustArc, explains how email marketers will also be affected by the new data regulation.

GDPR regulates the very data that email marketers use to fine tune their messaging for more personalized experiences, he says. Many large companies also likely communicate with EU residents if they have a market presence in Europe. 

Abernethy highlights two key areas of the GDPR legislation that will have major implications for email marketers: the “right to know” and the “right to be forgotten.”

Once GDPR is implemented in May, EU residents can request to know all of the data a company has on them. The brand in question then must provide a readable list of all the information they have collected on the individual with a certain time frame, and the resident has the right to edit the information if its incorrect. They also have the right to ask for a company to delete all of the information they have on them. 

In the U.S., every email marketer is required to have a way for a subscriber to opt-out of communication. But there is no format yet where companies can securely share all of the data they have on an individual.