GDPR is the acronym on every marketer’s mind. As the May 25 enforcement date approaches, any company with a website, email list, social media channel or other online communication needs to know about this new data privacy regulation. Compliance with GDPR appears daunting, but remember this change is ultimately a good thing. It’s good for individuals to be in control of their data. It’s good for businesses to only communicate with interested parties. Ultimately GDPR will improve the accuracy of data, foster increased trust in businesses and hone your marketing campaigns.
What is GDPR?
The General Data Protection Regulation (GDPR) significantly expands the protection of personal data for citizens and residents in the European Union (EU). It applies to companies worldwide that have customers, followers, or other leads they communicate with who are in the EU. The GDPR requires a strict protocol for data collection, storage, use and privacy. It has harsh penalties including fines of up to 4 percent of global revenue or 20 million euros, whichever is greater.
What is required for GDPR compliance?
- Identify, inventory, and maintain a record of personal data collected for EU residents.
- Add transparency between the company collecting data and the person the data is collected from, to ensure people know their data is being collected. The banners appearing on many websites that ask permission to track cookies are a part of GDPR compliance.
- Secure all data collected. This is a huge part of GDPR, and apparently a difficult one, after so many data breaches made the news last year. Your company must use “appropriate technical and organizational security measures,” such as encrypting the data, using anonymization and segregating it from other data in the system.
- Report breaches involving EU data to authorities within 72 hours and notify affected people “without undue delay.”
- Give EU residents the ability to access, correct, erase and move their data to another service provider. ‘Opt-out consent’ is not permitted. Using data for a new purpose requires consent to use the data for that new purpose.
- Ensure third party services are compliant with your organization’s data. Your company can be held liable for the personal data in the hands of your business partners. For example, if someone requests their data be deleted, you’ll have to ensure it is deleted from third parties as well.
- Incorporate privacy and data protection controls into any new or existing systems.
- Perform data protection impact assessments for any process changes that represent a data privacy risk.
- Keep records to prove compliance, including records of consent.
- Have policies in place regarding the collection and use of data – such as a more robust and transparent ‘Privacy by Design/Default’ policy and a data retention policy to describe how long your company will retain each individual’s data and justifying why you need it for that length of time.
Marketing and PR practices affected
Most of them! GDPR includes any database of customers, leads, followers, etc. which your company uses to track and communicate with people, including email lists. It takes our CAN-SPAM laws to a whole new level. The marketing practices affected the most by GDPR are ones you should not be doing anyway – buying lists, cold emailing and spam. How can you be sure your database does not contain EU residents? It’s best to implement GDPR compliance across the board to be safe.
The use of third-party data in highly-targeted ads such as Google’s Customer Match and Facebook Custom Audiences may decline, but the remaining data is more likely to be reliable. Compliant databases will contain only people who want to be contacted, listing information they agreed to provide to you. That data is more likely to be correct and up-to-date.
You can now only collect data that is “adequate, relevant, and limited to what is necessary for the intended purpose of collection.” For example, landing page form fields must be relevant to the offer provided.
The data collected can now only be used for specified, explicit, and legitimate purposes. You’re not allowed to use the data in any other way than the intended purpose for which it was collected. For example, if someone signs up for one mailing list, you can’t automatically sign them up for other lists to send communications they did not consent to.
Marketers must now prove consent before sending any communications to contacts, including ensuring existing databases are GDPR complaint. This permission needs to be explicit across each channel, not just in email. Similar to the point above, if someone follows you on Twitter, you can’t opt them into marketing emails or you risk breaching GDPR.
Though GDPR may sound like a huge headache, our friends at Hubspot put together a great resource listing these benefits:
1) People’s attention will be treated with the respect it deserves.
2) Greater transparency between people and the companies that hold their data.
3) It sets a higher bar for marketers.
Disclaimer: Though everyone in your organization will likely be affected by GDPR and should be aware of it, this blog is not legal advice. You should consult your legal team for advice.