Blog
← Back to Blog
May 10, 2018 legal

GDPR Is Live: Welcome to the Privacy Era

Data protection legal framework Privacy and data protection in the digital age

If your inbox has been flooded with "We've updated our privacy policy" emails, you've experienced the most visible effect of GDPR taking effect on May 25th. Every company that's ever had your email address suddenly remembered they have your email address and wanted to make sure you're okay with that.

The privacy policy email tsunami is annoying, but what's happening underneath matters.

What's Actually Changing

Companies Are Deleting Data They Don't Need

GDPR's data minimization requirement is forcing companies to audit what they collect and why. Many are discovering they've been hoarding data for years with no legitimate purpose. The cleanup is overdue.

Consent Is Getting Real

The days of "by breathing near our website you agree to everything" are ending. GDPR requires affirmative, specific consent. Pre-checked boxes are banned. Consent for different purposes must be requested separately. Users must be able to withdraw consent as easily as they gave it.

Data Breach Reporting Is Faster

The 72-hour notification requirement is already changing behavior. Organizations that previously might have sat on a breach for weeks or months (like Uber's year-long cover-up) now face massive fines for delayed disclosure. Transparency is becoming the default, not the exception.

The US Ripple Effect

GDPR is already influencing US policy. California's Consumer Privacy Act (CCPA) is moving through the legislature and borrows heavily from GDPR concepts. Other states are drafting similar legislation. Congress is debating federal privacy standards.

For US practices, the takeaway is simple: the privacy standards you'll need to meet in 2-3 years are being written right now. They'll look a lot like GDPR. Practices that start adopting privacy-forward practices today will be ahead when those regulations arrive.

What to Do Now

  • Clean up your email lists. Only keep contacts who actively want to hear from you. This is good practice regardless of GDPR.
  • Update your website privacy policy. Make it readable, specific, and honest about what data you collect and why.
  • Review your data retention. How long do you keep patient/client data? Do you have a documented retention policy? Are you keeping data longer than necessary?
  • Respond to the emails. Those privacy policy updates? Read the ones from services you actually use. Some are asking you to re-consent. If you don't, you may lose access to services you rely on.

Welcome to the privacy era. It's been a long time coming.