• by Ray Schultz , Columnist, February 16, 2018

Anxious about the EU’s General Data Protection Regulation? It’s not a scary as it sounds, says Dennis Dayman, chief privacy officer and chief security officer of Return Path. It may even help marketers. 

Take the requirement that you only store data as long as you need it. “A lot of providers are paying massive hosting bills on data and not using it,” Dayman says. “This will reduce costs.”

Then there’s the strain of trying to comply with a plethora of national laws.

“They created 28 different laws,” Dayman says. For example, “Germany went really tough on it — you need a double opt-in to process data. This came from World War II scenarios, when data was used in wrongful ways. They take permission very seriously. In the UK, it’s a little more lax.”

So the EU decided to “make it cleaner,” he continues. “Instead of 28 different laws, we will have one law, and that makes it easier for multinational companies like Return Path.” 

Finally, there is the benefit to consumers. When people opt out of being tracked, they may end up being served “crappy email and website ads” instead of relevant content, he argues.  

Still, it may take time and money to ensure full compliance. Return Path itself is now in the process of standardizing its privacy policy statements and making them “hyper transparent,” Dayman says. This project, which is taking many man-hours, will be unveiled in March.

“These are not material changes, but we’re cleaning up our language,” he says. 

He explains that “like many companies, we have several product lines, and five or six different privacy policies. We don’t want you to have to look at five different policies and figure out which one applies, so we’re doing a one-stop shop privacy policy. 

Return Path is also automating the process of answering people who inquire what information the firm has on them. 

“When they email us, we have to tell them that,” Dayman says. “We want to automate it. It’s not required.” This won’t be ready until summer.  

Meanwhile, Return Path is advising clients to observe GDPR, both in spirit and by the letter of the law, even if U.S. doesn’t require it.

“We joke that Can-Spam means ‘we can spam anyone,’ because it’s an opt-out law,” Dayman jokes.

On the other hand, Canada now has CASL, which is an opt-in regulation. And the Asia-Pacific region will probably be “copying the ideals of GDPR for their organizations,” Dayman warns.

That said, there are parts that U.S. firms may not want to observe, like the “right to be forgotten.” "It’s a debatable sort of scenario, which means ‘Delete all the data you have on me," Dayman states. It’s not required under U.S. law,he notes.

Maybe you’re not processing much data on European citizens. But it’s better to be GDPR-compliant now. “When you come to a new idea three years from now, you don’t want to have go to back and rewind the wheel,” Dayman concludes.