On May 25, 2018, American companies doing business in the EU may have additional regulations to consider. That’s when the General Data Protection Regulation (GDPR) goes into effect. The GDPR is a regulation enacted by the European Union governing consumer privacy, but it protects EU citizens globally, regardless of where their data is located. If a US company has an EU citizen in its database, that company will fall under the new EU regulations and could face a fine for noncompliance.
What does the GDPR include?
The General Data Protection Regulation (GDPR) is having a global impact on how businesses handle consumer privacy and data. Since this degree of regulatory overview of personal data is unprecedented, businesses everywhere need to reevaluate and change their procedures to ensure the highest levels of privacy protection—or face a fine of up to $20 million euros or 4% of annual global revenue.
Some of the main compliance factors:
- Handle consumer data carefully and understand and document the entire process consumers data goes through.
- Give consumers the control to monitor, check and remove any information pertaining to them. This includes the ability to give consumers copies of their data and how it is being used if they have asked for it.
- Ensure the consent of data collected. Have the ability to show that the company is processing personal data lawfully. The consent of users to give their data needs to be clear and transparent.
- Ensure data remains protected with new processes. (Think new positions within companies like data protection officer.)
- Encrypt or remove identifying data so it is unable to be associated back to a user.
- Implement processes to notify of any data breaches within 72 hours of discovery. As part of this, the company will also need to describe the nature of the breach, include the name and contact information of the data protection officer (or similar role), consequences of the breach, and what is being done to mitigate future adverse effects from the breach.
- Parental consent of data for children up to age 16 is required.
Overall, marketing efforts such as data mining, remarketing, location targeting, and more, will need safeguards and processes in place to ensure correct handling of data under the new GDPR guidelines.
What are companies doing to prepare?
If you use marketing technology platforms—think media vendors, email marketing, dynamic content, social media, Google Analytics, etc.—you’ll be noticing changes in their privacy terms, new features being rolled out, and the removal of some audience targeting efforts. Here are a few of the efforts currently changing:
Social Media Platforms
Facebook is currently updating privacy concerns for both consumers and businesses. From a consumer perspective, they are simplifying the design and usability of privacy settings so users can more easily control which data is shared. From a business perspective, they are altering how businesses can advertise and target potential customers on the platform. These updates include:
- A new consent agreement from advertisers stating that the customer data being uploaded (think customer databases for lookalike audiences) have given consent to be marketed to.
- Phasing out the ability for businesses to target ads based on third-party data (such as in-market for auto or home purchases, household income, purchase behaviors and more).
Dynamic Content Platforms
These platforms add tracking pixels to a website to dynamically change the web content based on known actions of the web visitor. Companies are updating their features to remove any identifying data from audience segments, setting up functionality for “do not track” (or right to consent) settings for consumers, and adding the ability to request access or delete individual data captured.
Email Marketing Platforms
Email platform companies have been strict on consent and opt-in laws for some time, requiring that anyone being sent an email has agreed to it and can easily unsubscribe. Email platforms are taking it a step further with developing processes to provide data requests to consumers who are asking to know the use of their data and have the ability to remove it.
How will this impact your digital marketing efforts?
With a stronger focus on consumers’ data privacy and protection, new practices and ways of doing business will be changing. From a business perspective, here are things you should be implementing or talking with your marketing team about:
- Check your email signup forms. If you are gathering email signups online, make sure there is a clear statement that by submitting the form they are consenting to joining the marketing list and receiving advertising content, or if there is a checkbox ensure that it is not checked by default.
- Notify customers about cookies. If your site is using cookies or targeting data, it will become more common to see pop-ups alerting web visitors to the use of these pixels.
- Outline the ways your company gathers consumer data, where it is stored, how it is used. Look for areas of insecurity and ways to tighten the process up.
- Understand how your data is stored and what is required to keep it secure. What encryptions are used, backup procedure done, password requirements, and more.
- Turn to your legal team for guidance. With so much legal complexity (and extensive fines for noncompliance), make sure your legal counsel can sign-off on your data collection policies with regards to the GDPR.
Moving forward, it will be even more important to understand where your customer data is coming from, how it is being shared and stored, and who has access to it.