By guest blog contributor Dave Cacioppo, emfluence.
GDPR has a lot of U.S.-based companies scratching their heads and wondering if they should be concerned. With so much confusion surrounding how—or if—GDPR will impact marketers and companies in the U.S., this post should help you get a sense of the potential impact GDPR could have on your marketing efforts.
Let’s start with the basics. The General Data Protection Regulation, or GDPR, is European legislation that goes into effect on May 25, 2018. The legislation is designed to put control into the hands of consumers regarding how their Personally Identifiable Information (PII) is obtained, used and shared. GDPR applies to not only companies that operate in the EU but also to any company that controls or processes data for EU citizens. In other words, even if your company is based in the U.S. and does not actively market to EU citizens, GDPR could still apply to you, should an EU citizen find their way into your database.
GDPR is designed to set rules for how organizations obtain, manage and use the PII of EU citizens. The regulation has several key benefits for EU citizens:
Remember, GDPR could apply to you even if you’re not actively collecting personal information from EU citizens. For example, if an EU citizen downloads a whitepaper from your website, then you could find yourself subjected to GDPR. In order to comply with GDPR, consider the following:
Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. PII can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. In addition, there are special classes of PII, like religious beliefs, political opinions, and racial or ethnics origin, that companies are prohibited from processing unless explicit consent is given.
First, some definitions. According to Article 4 of GDPR, “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Generally speaking, the GDPR treats the Data Controller as the principal party for responsibilities such as collecting consent, managing consent-revoking and enabling right to access. A data subject who wishes to revoke consent for his or her personal data therefore will contact the Data Controller to initiate the request, even if such data lives on servers belonging to the Data Processor.
The Data Controller, upon receiving this request, would then proceed to request that the Data Processor remove the revoked data from their servers. Data Controllers are responsible for, and must be able to demonstrate compliance with, the principles relating to processing of personal data, including lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.
The Controller is also ultimately accountable for any Processor they choose to work with. The GDPR states that “where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
A privacy notice is a statement made to a data subject that describes how the organization collects, uses, retains, and discloses personal information. The following questions should be considered when writing a privacy notice:
What information is being collected?
Who is collecting it? How is it collected?
Why is it being collected?
How will it be used?
Who will it be shared with?
What will be the effect of this on the individuals concerned?
Is the intended use likely to cause individuals to object or complain?
Consent under GDPR should put individuals in control of their own data. While this may seem a like a step backward for marketers, in the long run it’s likely to build trust and engagement and enhance your reputation.
Consent requires positive opt-in. In addition, messaging must be clear, explicit and concise. Consent must be easy to withdraw, and marketers must keep evidence of consent. In addition, marketers should avoid making it a precondition of service.
In order to fully comply with GDPR, organizations need to start thinking about privacy from the ground up. Key stakeholders from all departments need to be part of the conversation. If managed properly, compliance shouldn’t be overly burdensome. This language from GDPR sums up the expectations of Data Controllers:
The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
Fines are administered by individual member state supervisory authorities (83.1). There are 10 basic criteria under which the severity of penalty will be considered:
The end result could be a fine up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher for each violation.
The ramp up time for compliance has been a several year period. If you are behind, now is the time to take a serious look at your data and your practices. Start with an audit of where your data lives, what data points are included and if any of your PII is for EU citizens.
For a list of additional resources and perspective, you can find more information at https://emfluence.com/blog/gdpr-marketers.