For Europe, the month of May will see celebrations for Prince Harry and Meghan Markle’s wedding, but European consumers will have another celebration: Their Rights. And not only the rights of Europeans. On May 25, 2018, the General Data Protection Regulation, or GDPR, goes into effect in Europe, but it has global digital marketing ramifications.
If you are a marketer, you may not consider GDPR compliance to be a reason to celebrate. Yet, even more than Prince Harry’s status, the new GDPR represents a game changer in terms of how personal data can be collected, shared and used. The regulation comes amid the post-Cambridge Analytica-Facebook data breach which gave Cambridge Analytica access to the personal data of 50 million Facebook users’ private information. More than ever, consumers are wary of so-called security fail-safes meant to ensure their privacy. How can you ensure GDPR compliance in your marketing efforts?
What Is GDPR?
The GDPR, passed in April of 2016, is designed to “protect people with regard to the processing of personal data and on the free movement of such data.” In other words, the GDPR considers protection a fundamental right of consumers regarding their personal data and states that “everyone has the right to the protection of personal data concerning him or her.”
Key tenets of the regulation include:
- Penalties for noncompliance up to as high as €20 million or 4% of a company’s total global revenue, whichever is larger
- Transparency when requesting personal information
- Required opt-in consent
- Assignment of responsibility for data transfer outside the EU.
The potential impact on business is huge and far-reaching by design, and will change the way customer data is collected, stored, and used.
GDPR Impact On Non-European Businesses
The regulation is important for both European and non-European companies. European companies must provide evidence in the form of legal certainty and uniformity regarding data shared with any third country or international organization to ensure adherence to the same levels of protection. Only then is the transfer of personal data to a third country or international organization permissible without the need to obtain any further authorization. Importantly, if an EU company shares data with a US company, for example, and this agreement is breached, the EU company will be held responsible. If countries such as the US want to keep good business relations, everyone must comply.
In other words, General Data Protection Regulation applies to any company or organization that deals with European customers. Even if you feel pretty secure that your market is solely within the US, one errant email to a European potential customer can put you at risk of breaking GDPR requirements.
What Is Personal Data?
GDPR outline personal data as including “any aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.”
Personal photos, email and residential addresses, name, IP address information, genetic and biometric data, credit information, or any information that could directly or indirectly identify an individual without their consent are included.
GDPR Consent Opt-In Replaces Opt-Out Consent
Companies may no longer use “opt-out” to obtain consent for the use of personal data. Opt-out consent is where an individual is provided with the option to decline consent rather than presented with the choice to give consent. If an individual does not decline, they are by default giving permission.
Per GDPR consent, opt-out consent is deemed too ambiguous, and now gives a revised legal definition for the need to obtain explicit consent. Rather than opting out, a person has to be presented with the choice to opt-in, and the terms of that consent must be clear and distinct from any other actions you want the individual to take.
Consent must be freely given, specific, informed, and unambiguous and an individual must take a specific action to indicate their choice to opt-in.
How To Comply With GDPR
Any data you have collected or will collect in the future is subject to GDPR scrutiny unless you have obtained opt-in permission with clearly defined use of that personal data. This means that any data you previously collected, including recordings, poll information, survey answers and emails, and personal data gathered from social media, smartphones, or web technology and VR, require opt-in permission for their continued and future use. To ensure this, new contacts and anyone currently in your Contact Management Software (CRM) should be contacted to reestablish permission.
The following are key GDPR compliance areas of importance for marketers:
- You must obtain permission for use of personal information by requesting an individual be provided with a choice to opt-in, accompanied by an explanation of how their data will be used or shared.
- You should discontinue collecting data that is not necessary for your business.
- You must provide individuals with the option to access and remove their contact information or personal data at any time.
- The creation of a contingency plan in the event of a breach to ensure that good faith customer relationships and brand reputation remain intact. Your response should come within 72 hours of a breach.
Start With A GDPR Compliant Opt-In
Whether you are a business with offices in Europe, have European customers, or collect personal data from customers such as email addresses and are uncertain of their location, it is important for you to initiate compliance prior to May 25, 2018. The following steps will help to ensure you are GDPR compliant:
- Review data and personal information you have collected to ensure users have opted-in.
- Send out proactive communications to your customers to reestablish opt-in.
- Set up a double opt-in feature for all future communications to allow visitors who fill out a form to give explicit consent that they want to be contacted by you.
- Draft standard messages for any lead-generating content or forms with an explicit request to use personal data, such as, “Thanks for giving us your feedback! We are always striving to improve our offerings for customers based on their personal experiences and data. Do you give us consent to record your data from prior and future visits interactions/visits/surveys?”
- Create internal policy and process documents outlining how your business will comply with GDPR.
- Include “unsubscribe” and/or “please remove me from your database” selections, as well as editable email preferences in all email communications.
GDPR For Marketers
Marketers may have anxiety about the new GDPR coming in May but taking proactive steps toward compliance will ensure that your customers and regulating bodies continue to hold you in high regard. There are bound to be bumps along the way, but as long as businesses employ adequate data protection measures, and are open and truthful about personal data collection, the new regulation should not present a disruption but rather, present new opportunities for engaging with customers on their terms. Beyond these tips, we recommended that you view the full requirements for collection and processing of personal data per GDPR compliance and enforcement.