In 199 days, the GDPR becomes law, changing the relationship between marketers and the EU consumers they target. Any company targeting EU consumers must be compliant with these new regulations or face a hefty fine.
But what is compliance?
General Data Protection Regulation
The European Union has passed a new privacy regulation, GDPR, that goes into effect May 25, 2018. Its main objective is to protect the data of EU consumers that has been collected online for business purposes – data that marketers use to serve ads based on location, age, gender, and other psychographic data that in combination paints a rich picture of each consumer and allows very specific targeting of marketing messages and promotions. For the marketer, personalized targeting leads to better conversions and revenue growth; for us as consumers, the goal is to present meaningful, actionable content that we personally care about. There’s a great deal to like about being told a pair of women’s running shoes in my favorite color and my size is on sale within a mile of where I’m standing.
The price of that convenience, being told there’s a sale nearby, is however, personal data privacy. Multiple databases across a variety of companies hold, maintain and in many cases, sell detailed profile information about individual consumers. For many, this is becoming increasingly uncomfortable due to concerns about privacy and hacking. The GDPR is being introduced to put EU consumers in control over their data that is collected by companies for business purposes and a mechanism to insist that the information is deleted.
Unless your business never touches an EU consumer (even accidentally), you need to be on top of these regulations and putting processes in place to address the requirements. Some specifics are still being fought-over, but in the 261 pages of the regulation, there are basics you – and your data provider, the vendors of the software you use to collect and store information — have just a few months to address.
As a marketer, you need to offer
- Very clear opt-in consent to collect data. Silence or ambiguity is not allowed.
- Communication. If there is a breach of the data you hold, or with the vendor holding data for you, you need to notify customers within 72 hours.
- You need to be able to hand over all the data you’ve collected on a customer, if requested by that customer.
- You and your vendors must erase all data on that customer if he or she asks to be forgotten.
The penalty is steep. The largest fines for violations are 4% of annual global turnover or €20 million, whichever is greater, but even the smaller fines are designed to cause pain to ensure enforcement.
Critical to managing this process is having an understanding of the sources of your customer data and where it resides, and having a mechanism to manage customer data efficiently. It’s important that your entire data supply chain be compliant and if there are pieces of that supply chain that aren’t, that you don’t transfer any EU consumer data to them. If you leverage 2nd and 3rd party data from multiple sources, you may want to consider working with a data orchestration or management vendor that has built-in tools for managing GDPR compliance.
Add to your list of issues the pieces still in the air:
With what customer are you compliant? If your customer is a French citizen working in Mexico and your servers are in the U.S., do you need to be GDPR compliant? The law says… maybe. Section 14 of the law says it applies to all natural persons regardless of nationality or place of residence, and Section 23 says the law applies to data subjects “in the Union.” It’s still unclear whether a Frenchman in Mexico City or an American in France can demand GDPR compliance.
Who ensures compliance? Under the law, a Data Protection Officer needs to be named by your company if it is big enough, but the three government entities involved with the law are not in agreement what that “big” metric is.
Whose law do you follow? GDPR was written to allow European states to stand as one for consumer privacy, but it has been rewritten enough that it is unclear who is enforcing the law. Add to that fact that the new regulation is clear that if a European state makes a stricter law, marketers must abide by that stricter law for that country’s citizens. So you could have to follow GDPR for all EU countries, and stricter laws for Germans and those living in Germany.
The marketing technology community is just beginning to understand what this will mean. If you haven’t started thinking about this now is the time!
- Identify who in your organization will be responsible for GDPR
- Familiarize yourself with the regulations
- Establish an action plan for data sourcing, management, retention and delivery.
- Make sure that you have the appropriate opt-in mechanisms in place for data collection.
- Ensure that you have the means to deliver a report if requested that shows exactly what data you have compiled on an individual and how it is being used.
- Establish a process for deleting profile data if requested.