The European Union’s General Data Protection Regulations (GDPR) will start to affect how marketers handle personal information in May 2018. If you operate in the EU, you are likely aware of GDPR. If you represent a US-based company, you may not be as familiar with the coming regulations and the steps needed to ensure compliance. Either way, it’s important to fully understand the scope of GDPR so you don’t get caught off guard when they go into effect. To help you know what to expect, we’re providing an overview of GDPR, key points to be aware of, and steps to take to prepare for its implementation.
Who does GDPR apply to?
Broadly speaking, GDPR applies to any company that collects or processes data from residents of the EU. This is a little vague, so let’s unpack it. This applies to you if you have a legally recognized physical presence in the EU. If you sell your products in any of the 28 EU countries, this applies to you. If you operate outside of the EU but collect data from EU residents, this applies to you.
Example 1: Let’s say you run a boutique hotel in the US and someone inside the EU books and pays for a room online—in this case, GDPR applies to you, because you are collecting and processing personal data (name, credit card number, etc.) from an EU resident.
Example 2: You use marketing automation to track the browsing activity of your leads, and EU residents browse your website. In the process, your marketing automation solution records their IP address in order to assume their physical location. Per GDPR, this counts as a collection of personal data. In the US, an IP address is not typically considered personal information, but in the EU, it is.
There are many regulations that will go into effect with GDPR, and you can read further about them on the GDPR website. Here are a few of the more important elements that you should be aware of:
Consent: Under GDPR, any company that collects personal information must gain explicit consent from that individual beforehand. When someone provides you with their email address via a form, you must explicitly ask them to confirm that they are opting in. You cannot infer consent in any way—it must be explicitly provided by each individual whose data you collect. Learn more about consent.
Right to Be Forgotten: Once someone provides consent to store and process their information, they will have the right to revoke that consent at any time. Failure to comply with such requests could result in steep fines (see below for more information on penalties for noncompliance).
Right to Access: EU residents will have the right to request access—at any time—to the personal data you have stored on them. It’s obligatory to fulfil those requests and provide an electronic copy of that data to anyone who requests it.
Breach Notification: If at any time, you experience a data breach that results in the acquisition of personal data by any external party, you will be required to notify your contacts within 72 hours.
Children’s Data: If there is a possibility that you will collect, process or store personal data of any EU resident under the age of 16, you will need to gain parental consent to do so. Failure to comply with this regulation will result in penalization.
What are the penalties?
The maximum penalty for noncompliance is 4% of your annual global turnover, or €20 million, whichever is greater. This fine will apply to more serious violations, such as not obtaining consent before processing personal data. You will also be liable for a 2% fine for not having your records in order or failing to notify in the case of a data breach. Learn more about GDPR fines.
Note: If you are not based in the EU, you will still be liable for fines levied through GDPR. For more information on how these fines will be enforced against US companies, check out this article.
Below, we cover important steps that you should take to prepare your organization for GDPR implementation.
Education and Awareness: First and foremost, you should dig into the literature around GDPR to fully educate yourself on the regulations and how they might impact your business. Everyone in your organization should be aware of the implications of GDPR, not just your data storage and IT teams. You can start by reviewing summaries of the articles contained in the GDPR. Then, if you want to dig into a particular topic, you can do so by browsing the full regulation documentation (PDF).
Documentation of Existing Data: You’ll want to document and understand the personal data you currently store, where it came from, and who you share it with. Depending on the quantity and breadth of personal data you store, you may need to conduct an internal data audit. GDPR will require you to maintain records of the personal data you store and your processing activities. For example, if you have shared inaccurate personal information with a third party, you will be required to inform that third party so they can update the data in question. This will be very challenging if you do not document the data you currently have and what you have done with it.
Updating Your Privacy Notice: You likely already have a privacy statement that is made available to those who opt into your email list, or those who make purchases online. GDPR introduces a few new stipulations that must be communicated to EU residents who interact with your company in that way. Learn more about privacy notices.
Mechanisms to Manage Opt-ins and Opt-outs: Because there will be significant changes to the way you are required to process opt-ins and requests to be forgotten, you will likely need to develop a mechanism for managing this process and storing the resulting data. Meticulous recordkeeping will be needed to do this, as will an automated system for processing opt-ins and opt-outs.
Fulfilling Data Requests: Under the Right to Access article, discussed above, you will be required to supply documentation of personal data to anyone who submits a request. How will you do this? Depending on the size of your business, it might not be feasible to process these requests manually, meaning you’ll need to put a software system or other technological solution in place to manage this. You may be able to do this manually if you barely interact with EU consumers. Consider your needs, and plan accordingly.
Notification of Data Breach: You will need a solution in place to communicate any data breach to your constituents within the 72-hour window. A marketing automation solution can manage this for you. But you’ll need to create a segmented list that includes every EU resident in your database. You’ll also want email templates that you can populate with information about the specific data breach and then send out rapidly. Having to draft a new email in a time of crisis will leave you open to omissions and communicating inaccurate data. Finally, set up a pre-packaged email send in your system so if the time comes that you need to communicate a breach, you can do so quickly and confidently.
The first step you should take is to determine whether GDPR will impact your business. If you don’t think it will affect you, you should triple check your situation. Be 100% sure before you decide not to take action to prepare. Next, do your homework and read up on the regulations to gain a thorough understanding of what is entailed, and what is excepted of you. Suggest that everyone in your organization familiarize themselves with GDPR, to ensure you don’t fail to comply inadvertently. Finally, follow the steps above to develop mechanisms that will streamline your ability to comply. The penalties involved are no joke, so GDPR is something to take very seriously.