Marketers, we Can't Hide From the GDPR.
We can't beat it so we might as well get onboard. Here's what you need to know.
The General Data Protection Regulation (GDPR) sounds complicated - even the abbreviation is a mouthful. And while GDPR is mainly a European set of regulations, companies in the U.S. will begin to feel the impact soon after it goes into effect in May of 2018.
What is GDPR?
The rules were created because legislators believe regular people needed to have more control of their personal data. Additionally, the regulatory guidelines for businesses had not been updated since the time Yahoo! was all the rage and AIM was the cool thing to do. GDPR is meant to give businesses and the general public a more even playing field in the digital arena.
The European Commission, the executive body of the European Union, believes that more trust is needed in the digital economy. The EC thinks that trust can be won by providing online consumers with greater control and more information over how and when their data is used.
An important point to note: GDPR does not only apply to businesses that are in the EU (and Britain) - it applies to any company that does business within the EU. Facebook, Twitter and Google, for example, are all having to rework their business processes. There are steep fines and other very bad outcomes for businesses which operate in or around the EU that are guilty of noncompliance.
How will GDPR impact U.S. marketing?
There are many compliance issues surrounding GDPR, but the three main ones marketing managers need to know are data permission, data focus and data access.
Data permission is how you collect someone's personal information in return for promotional material, such as email opt-ins. Moving forward, you cannot assume that the user is willing to be contacted - they now have to opt-in to be contacted, in a specific, informed, freely given, and unambiguous way, through a transparent, affirmative action. Basically, they need to click a radio dial that clearly states they agree to be contacted.
When collecting user data, GDPR states that your company has to justify what kinds of personal data you are collecting. So instead of compiling as much information as possible, you should only collect what you can prove that you need in order to do business with that consumer. Or: just collect the very specific data you must have in order to do business, and nothing else.
The right to be forgotten has been one of the leading talking points when developing the GDPR. In a nutshell, users need to be able to access and remove their data easily.
Who will GDPR impact?
Every business doing business digitally, from a small mom-and-pop shop to giants like Google and every kind of business in between that even thinks about shipping to the EU will be affected by GDPR. No matter how small or large your business is, if you are not in compliance, then you could face fines.
Criteria a business has to meet and not be fined include:
- Ability to demonstrate compliance.
- A legal basis for processing.
- Following and in compliance with special conditions when processing certain categories.
- Proper records keeping.
- Proper processing of personal data.
- Increased and opt-in consent for the use of personal data.
- Notification of a breach of personal data within 72 hours.
- Appointment of a data protection officer, or DPO.
- The right to data portability for all users.
- Data protection by design and default.
The EU will monitor and enforce the GDPR by member state, so each country that is part of the EU will enforce and regulate their laws individually. If a business is based in the US, but ships or does business in the EU, they should speak with a specialist to see how they could be affected.
Fines and implications for failure to comply with GDPR include:
- Administrative intervention.
- 10 million euros or two percent of global revenue (whichever is highest).
- 20 million euros or four percent of global revenue (whichever is highest).
- Any necessary compliance-related action as decided by the EC.
Here is a short, easy-to-follow checklist to be in compliance for GDPR before it goes into effect. If you're unsure how it will affect your business, reach out to a specialist at HGX Creative today!
How to be GDPR compliant:
- Gain consent before contacting an individual or using their data.
- Give all your consumers a right to be forgotten.
- Be as transparent as possible.
- Begin auditing your mailing list now.
- Review and revise the process you use to collect personal data.
- Develop a more succinct content marketing strategy.
- Train your salespeople to share content on social media platforms, rather than via email.
- Understand the data you've been collecting and adapt as necessary.
- Update your privacy statement
Frequently asked questions
- How will EU regulators enforce the GDPR on American companies?
First, if your business has a European-based physical presence, the GDPR can be enforced directly. However, the GDPR states that if your business is selling or interacting with customers in the EU, you must have an EU-based representative.The EU will use international law to enforce cooperation with the GDPR. The U.S. and EU law enforcement agencies have a long history of collaboration, and the EU can fine a U.S. company for violating the GDPR - and the U.S. federal authorities will help enforce that fine.
- How can the EU fine me if I'm in America?
The EU has many agreements in place, such as the U.S. Privacy Shield data sharing agreement, and the EU can issue complaints and fines against U.S. companies. If a U.S. company violates the GDPR, the country in the EU that is enforcing it can just file the fine and complaint, and the U.S. authorities will levy it against the business.
- What if I don't pay the GDPR fine?
If you don't pay the fine, the EU can cite your business, cut off your ability to transfer data in that country, and levy steeper fines. Additionally, with current favorable EU-U.S. cooperation conditions, the U.S. could step in and force your business to pay the fine.
- How can the EU tell if I violated the GDPR?
Agencies set up in countries that are upholding the GDPR have full investigative power to ask the controller and processor of any business operating within the EU to provide any information the agency thinks is relevant. To begin with, the company will be in the "suspicion of a violation" category, and if they take prompt steps to rectify the situation, then most companies will get a warning.However, if a violation has been confirmed, the agency can issue reprimands, order the company to bring their practices into compliance, and order the deletion of any data that's in violation. If previous warnings and orders have been ignored, more severe measures are enforceable. These measures include a ban on processing in the EU, a suspicion of data to or from the country, and fines.
- How soon after a breach do I need to get into compliance?
Within 72 hours of becoming aware of a breach of GDPR regulations, the company is required to notify authorities, the subjects of the data breach, and the regulating body where it happened. (For example, if personal information was hacked into and stolen in Ireland, you'd have to notify the Ireland GDPR agency.)