By guest blog contributor Dave Cacioppo, emfluence.
GDPR has a lot of U.S.-based companies scratching their heads and wondering if they should be concerned. With so much confusion surrounding how—or if—GDPR will impact marketers and companies in the U.S., this post should help you get a sense of the potential impact GDPR could have on your marketing efforts.
What is GDPR?
Let’s start with the basics. The General Data Protection Regulation, or GDPR, is European legislation that goes into effect on May 25, 2018. The legislation is designed to put control into the hands of consumers regarding how their Personally Identifiable Information (PII) is obtained, used and shared. GDPR applies to not only companies that operate in the EU but also to any company that controls or processes data for EU citizens. In other words, even if your company is based in the U.S. and does not actively market to EU citizens, GDPR could still apply to you, should an EU citizen find their way into your database.
How Does GDPR Impact EU Citizens?
GDPR is designed to set rules for how organizations obtain, manage and use the PII of EU citizens. The regulation has several key benefits for EU citizens:
- Increased security.
Companies are required to have a reasonable level of security in place to protect PII.
- Required consent to process and share information.
Before using or sharing your PII, a company must obtain your consent and be transparent about how it will be used.
- The right to correct PII that is incorrect.
If a company is processing and sharing information about you that is incorrect, consumers must be given the opportunity and method to correct that information.
- The right to be forgotten.
Consumers can now request that their PII be removed from a company’s database.
- The right to obtain the PII that a company holds.
Consumers can request a copy of the information that a company holds about them.
What Are the Requirements of Organizations That Must Comply with GDPR?
Remember, GDPR could apply to you even if you’re not actively collecting personal information from EU citizens. For example, if an EU citizen downloads a whitepaper from your website, then you could find yourself subjected to GDPR. In order to comply with GDPR, consider the following:
- Obtain adequate consent.
Marketers can no longer bury privacy notices behind links. Notice must be presented at the time of data capture and transparency and clarity are critical.
- Increase security.
Security requirements are now part of the regulation and must be followed. However, some vague language, including the word “reasonable,” make compliance a bit of an undefined target. Encryption, pseudonymization, and anonymization are a good start at tackling the security requirements, but there is more to it.
- Manage the right to be forgotten.
Companies must give consumers a method to delete the information stored about them. Given that most marketing entities store data in numerous places (CRM, ESP, MAP, ERP, excel files, custom databases, etc.), simply having an accessible data inventory can be a challenge, much less tracking down all the data tied to a single consumer.
- Adoption of a Data Protection Officer.
This role requires an individual who has “expert knowledge of data protection law and practices.” This individual is responsible for training and education within the organization. In addition, the DPO acts as the liaison between the company and the GDPR Supervisory Authority and the liaison between the company and consumers who have questions or concerns about their data and their rights.
What Constitutes PII (Personally Identifiable Information)?
Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. PII can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. In addition, there are special classes of PII, like religious beliefs, political opinions, and racial or ethnics origin, that companies are prohibited from processing unless explicit consent is given.
What Are the Roles of Data Controllers and Data Processors?
First, some definitions. According to Article 4 of GDPR, “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Generally speaking, the GDPR treats the Data Controller as the principal party for responsibilities such as collecting consent, managing consent-revoking and enabling right to access. A data subject who wishes to revoke consent for his or her personal data therefore will contact the Data Controller to initiate the request, even if such data lives on servers belonging to the Data Processor.
The Data Controller, upon receiving this request, would then proceed to request that the Data Processor remove the revoked data from their servers. Data Controllers are responsible for, and must be able to demonstrate compliance with, the principles relating to processing of personal data, including lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.
The Controller is also ultimately accountable for any Processor they choose to work with. The GDPR states that “where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
Understanding Notice and Consent.
A privacy notice is a statement made to a data subject that describes how the organization collects, uses, retains, and discloses personal information. The following questions should be considered when writing a privacy notice:
What information is being collected?
Who is collecting it? How is it collected?
Why is it being collected?
How will it be used?
Who will it be shared with?
What will be the effect of this on the individuals concerned?
Is the intended use likely to cause individuals to object or complain?
Consent under GDPR should put individuals in control of their own data. While this may seem a like a step backward for marketers, in the long run it’s likely to build trust and engagement and enhance your reputation.
Consent requires positive opt-in. In addition, messaging must be clear, explicit and concise. Consent must be easy to withdraw, and marketers must keep evidence of consent. In addition, marketers should avoid making it a precondition of service.
Privacy by Design.
In order to fully comply with GDPR, organizations need to start thinking about privacy from the ground up. Key stakeholders from all departments need to be part of the conversation. If managed properly, compliance shouldn’t be overly burdensome. This language from GDPR sums up the expectations of Data Controllers:
The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
What are the penalties under GDPR?
Fines are administered by individual member state supervisory authorities (83.1). There are 10 basic criteria under which the severity of penalty will be considered:
- Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing
- Intention: whether the infringement is intentional or negligent
- Mitigation: actions taken to mitigate damage to data subjects
- Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
- History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
- Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
- Data type: what types of data the infringement impacts; see special categories of personal data
- Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
- Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct
- Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement
The end result could be a fine up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher for each violation.
What should you do?
The ramp up time for compliance has been a several year period. If you are behind, now is the time to take a serious look at your data and your practices. Start with an audit of where your data lives, what data points are included and if any of your PII is for EU citizens.
For a list of additional resources and perspective, you can find more information at https://emfluence.com/blog/gdpr-marketers.