What Marketers Need to Know About the GDPR
On May 25, 2018, the European Union will officially begin enforcing the new General Data Protection Regulation, arguably the most comprehensive, stringent and consequential regulation to be implemented in over 20 years.
Whereas the previous Data Protection Directive (rolled out in 1995) protected EU consumers mostly from EU companies, the new regulation protects EU consumer data regardless of where the company housing that data is geographically located. In short, if you collect personal data from someone physically located in one of the 28 member states of the European Union, you will be expected to comply.
GDPR Global Consequences
What we sought to answer was, “How will this affect marketing practices within the United States?”
If your organization does anything that targets any contact within the European Union, you’re going to have to think about your website, web forms, data management practices, email strategy, social media strategy… And the list goes on. Here are some high-level considerations that we feel our clients may want to unveil with their lawyers and I.T. departments.
Definition of Personal Data. Article 4 of the GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…” In other words, even data collected over social media counts.
Your website and web forms. If you have a website that contains pages that specifically target audiences within the EU, particularly if there are pages written in the native language of the target audience or the domain suffix is justified to the region (i.e., .nl for the Netherlands), you’ll want to work with your strategy, technology and legal teams to design data collection or conversion practices such that you stay in compliance. Any information you collect must be collected with explicit consent, which means it is “freely given, specific, informed, and unambiguous.” This could be applicable to transactional and non-transactional data collection efforts.
Data Management. In the process of collecting data, it must be apparent what the data will be used for, in an easy to read and easy to access manner (in other words, a link to another page filled with fine legal print may be out of compliance, but check with your lawyer). If you or your organization are the unfortunate victims of a data breach and EU data is, in any way, compromised, you have 72 hours to contact a supervising authority. In high-risk breaches where a contact’s financial integrity is potentially compromised, there may be an obligation for your organization to get in touch with the at-risk party personally. There is language in the GDPR that requires particular security practices be in place before data is even collected, so (you guessed it!) consult legal counsel to make sure everyone is clear on the regulation and in compliance.
Right to be forgotten. Similar to the Directive, there is a lengthy list that qualifies a consumer to request that a company completely delete all data and history from their servers, no questions asked.
Consequences. Another significant change from the Directive is that the consequences for non-compliance are hefty, and GDPR protection authorities now have a lot more power in how they regulate, investigate and enforce this regulation. If non-compliance is determined to be related to technical shortcomings, the fines may be the greater of €10 million or 2% of global annual revenue; if non-compliance is with any of the “key provisions” of the GDPR, fines may be the greater of €20 million or 4% of your global annual revenue.
As this is a lengthy and complicated regulation with a world-wide impact, make sure you work with all necessary parties to mitigate any risk you may face.
Ready to Start Winning Digital? Contact us today and let's discuss your needs and how Parallel Path can be the digital partner that helps you increase your awareness, acquisition and retention goals.