To succeed on digital today, it’s imperative to be at the forefront of the constantly changing landscape. The EU’s General Data Protection Regulation (GDPR) is one of those such changes. Consider it your wake-up call.
While the EU is the first to implement these data regulations, it has global implication and signals a new era in how personally identifiable information is managed.
It’s important to note that GDPR is not something new (although you may only have recently heard of it). And it’s not in reaction to the recent Cambridge Analytica scandal. While the timing of its implementation lines up almost perfectly for news cycles, it was actually passed into law in 2016.
This is important to note for two reasons. Firstly, because these recent developments and data scandals have only added fuel to the fire of regulating how data is handled. And secondly, because there is no grace period to comply with these regulations. The time is now — May 25th is the day the regulations go into effect.
What Is GDPR?
The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25th, with widespread implications for brands globally. These regulations give governing power to how EU member states deal with users personally identifiable information.
These protections extend to anyone within the EU. This means, even if you go on vacation in any EU member state, you would be protected under the GDPR. Due to this, compliance extends outside of companies based in the EU, to anyone who collects data coming from the EU (i.e. if you have a form on your website and someone residing in the EU fills it out).
This type of regulatory action is unprecedented and will require companies to provide the highest level of data privacy protection or receive crippling monetary fines — the greater of 20 million Euros or 4% of your company’s global operating revenue.
GDPR concerns how personally identifiable information is used and stored by companies. It exists to give the consumer utmost control over their personal data. A key element of this regulation states that any personally identifiable information a company has must use anonymization and be highly encrypted. Meaning, no personally identifiable information should ever be able to link back to the person. All identifiers need to be stripped away when they are stored so the data can’t identify any individual.
This includes information like IP addresses, email addresses, names, location data, birth dates, phone numbers, financial info, religious preferences, biometrics and more. And it must be secure: the countless data breaches common today will no longer be acceptable.
Not only to do you have to ensure you are storing the data securely, you have to ensure the consumer has the ability to monitor, check, control, and if they want, delete the data you have on them.
Why Should You Care?
You may be asking, “This is happening overseas and my business operates within the US. Why should I care about these regulations?”
The short-term answer is that it has the potential to impact you, so it’s worth your time to make sure you’re buttoned-up. Additionally, it signals the future of consumer data protection and we expect to see changes that will directly impact US-based companies at some point in the not-too-distant future.
This act protects data for all users within the EU, wherever it goes. The GDPR breaks out who must comply into two groups:
- Firms located within the EU
- Firms not located within the EU, that offer free or paid goods or services to people within the EU, or if they monitor behavior of people within the EU
If you’re not located in the EU, unless you block all traffic coming in from anywhere within the EU, then you need to ensure compliance.
Try this: log into your company’s Google Analytics account and view the geography of users on your site over the last 60 days. Is any of the traffic from countries within the EU?
If you aren’t sold on complying to GDPR, here are some distinctions on if you would be at risk of being penalized by the EU.
It may be enough evidence for the EU to go after you for compliance if your company markets its products in the same language that is commonly used in an EU state, if your company lists its products in EU member state currencies, or if your company utilizes or cites EU customers or users.
These broad definitions leave open an unknown amount of risk for your company. We don’t know how aggressively the EU will go after firms not located within the EU. But mitigating the risk as much as possible is a good idea considering the monetary consequences of non-compliance.
Preparing for GDPR Compliance
Figuring out how to comply with these regulations can feel like wading through murky water. While Room 214 does not offer legal advice, we’ve put together a list of areas to consider when entering into conversations with your internal marketing and IT teams, partner agencies, and your legal department to help navigate this confusing topic.
- Take a look at the data pixels on your site are pulling in. Is there personally identifiable information in there? If so, think about disabling them or be sure your use of the data complies with the regulations.
- When using lead forms, ensure you have clear and visible opt-in boxes.
- If you’re using lead forms, make sure you have permission to collect IP address/email addresses (ex: Gravity forms).
- Consider blocking traffic from the EU if it is not valuable to your business.
Email, CRM, Rewards Programs
- You’ve likely seen dozens of emails from organizations in the past weeks asking you to opt-in again to receive their emails. Ensure that you are asking explicit permission for people who participate in your email lists, and reward programs.
- Anonymizing user IDs / IP addresses is a necessary component to compliance for these rules. If you don’t have any traffic from the EU, you could get ahead of the game by implementing this now.
- Audit all tools you are using: SMS, Advertising partners, Sales/eCommerce tools, etc. to ensure you are either not storing any personally identifiable information or if you are, that they are GDPR compliant.
- Audit all internal communication tools (email, slack, skype, etc.). If you are a multinational corporation, your internal correspondence is subject to these regulations too.
- You will need to provide a Privacy Notice letting users know how you are using their data. GDPR says that companies must provide information about how they process users data in a concise, transparent, easily accessible, written and clear and plain language, and free of charge. Being transparent with your customers is always a good policy.
- Update your contract templates and amend current contracts to ensure your partners are complying with GDPR.
Data Storage Systems
- Right to be forgotten: GDPR dictates that users have the right to request any and all data you have on them be deleted at any time. So companies will need to set up their databases in ways that: 1) they can find that person within the privacy confines of GDPR and 2) it is set up in a way they can delete that data.
- Relational Databases: this means you organize your database in a way that you can’t pick out a specific user and find all of their data in a single table. You would have to ‘join’ tables and have access to all of the tables in order to pull the data. This allows a regular user to be limited in seeing the personal identifiers, but still be able to see the data they need to.
- Integrate IT and Marketing departments: having these teams work together will ensure you keep data systems up to regulation at all times.
Educate your team: anyone who handles any kind of data needs to understand these regulations in order to keep the organization protected.
GDPR A Bellwether for the United States?
The EU has historically been focused on consumer protection, with a long-standing history of passing legislation that favors the consumer over businesses. Conversely, the US has always skewed more business-friendly.
Given the current administration, the policies from the FCC (i.e.: Net Neutrality), the amount of lobbying, and the size of the data analytics, and tech industry, it is highly unlikely we will see any GDPR-size regulation from the United States federal government anytime soon.
However, while Washington has always been business-friendly, states such as California have taken up the consumer protection flag on their own. It is likely we will see regulations at a state level. California has already introduced the California Consumer Personal Information Disclosure and Sale Initiative, which is on course to appear on their November ballot. If individual states start to regulate data usage, it will create a complex and cumbersome environment for companies to navigate.
It seems that we are in a time of change when it comes to how personal data is handled. With the recent Cambridge Analytica data scandals, the massive data breaches that we’ve been seeing over the past few years, the fire regarding consumer data is only being fueled.