What Every (U.S.) Marketer Must Know About The EU GDPR Compliance
The European Union is known for its stricter-than-the-rest-of-the-world privacy laws, but the new General Data Protection Regulation (GDPR) has many marketers concerned as non-compliance can cost companies up to 4% of their last year's annual turnover! While this severe penalty is reserved for the most flagrant violators, as a marketer, even if you are not located in the European Union, you must know about these new guidelines as they will most likely affect you too.
What Is The General Data Protection Regulation (GDPR)?
The new General Data Protection Regulation (GDPR) sets out to provide a single set of protection rules and regulations across the European Union and give individuals more control of their personal data. It replaces and builds on the 1995 Directive’s requirements for data privacy and security — increasing the obligations of organizations who collect or process this data, adding harsher penalties for non-compliance.
Under this new law, personal data is anything related to an identifiable person. This can be a name, email, and address, but also IP addresses or website cookies. There is also no distinction between private, public, or work roles data.
Therefore, personal data under this new regulation must be:
- Obtained and processed lawfully,
- Only stored and processed for a specific purpose,
- Kept secure and up-to-date,
- Retained only for as long as needed and then deleted, and
- Available upon request.
That means, going forward, you will have to:
- Give Notice: You must explain why you are collecting this data, how long you will keep the data for (retention period), and how they can access, modify, or delete the data you acquired.
- Receive Consent: Organizations must obtain and process personal data lawfully. To do so, you must have received affirmative consent (not only have a "legitimate interest"), track how and when the consent was given, and offer the ability to withdraw that consent.
- Facilitate Access, Modification, Deletion: Anyone, whose personal data you have collected, will be able to request access to any data pertaining to their person, modify it, or delete it. This can become complicated as organizations are sometimes contractually or legally required to retain personal data.
- Explain Retention: Basically, you cannot keep personal data forever. You must delete or, if that is not possible, anonymize personal data if you do not have a good enough reason for storing or processing it.
Does This Apply To You? Most Likely!
By now, you are probably asking yourself, "Does this apply to me?" And most marketers outside of the EU would shake their heads and say, "No!" But it isn't that easy. One of the biggest misconceptions about this law is that this only applies to companies located within the borders of the European Union.
However, all organizations (regardless of location) that control or process personal data of EU citizens (even if the EU citizens are not in an EU country) are affected and therefore must comply. So, if you market products to EU citizens (whether explicitly or not) and/or monitor their behavior online, you are on the hook.
Now, I know what some of you are thinking. Unless you are a big international company like Google or Facebook, how will the EU actually impose and collect a fine on a U.S. company? Well, there are several avenues the EU has to take action.
- If you have an office in an EU member state, that member state can pursue you legally.
- If you do a lot of business in the EU and violate GDPR, the EU can "force" you to maintain a physical representation in a member state.
- If you are a U.S. company with no financial interests in the EU, but still violate GDPR, the EU can use international law to impose a fine and, with U.S. cooperation, collect it.
What Should You Do From Now Until The Law Takes Effect?
The next question, you are probably asking now is: "What should I do now?"
Since we have exactly six months to get ready, there are several steps you should take immediately to ensure you are compliant before the law takes effect. Keep in mind, this isn't a useless compliance exercise — these regulations really just spell out what we should be doing anyway as responsible stewards of our contacts' personal data.
1) Get Educated About GDPR
First and foremost, you need to get educated about the General Data Protection Regulation. You can find the full regulation in a "neatly arranged website" as well as an extensive glossary here. Be sure to exactly understand the individual rights of your data subjects and internal procedures and principles for entities that handle personal data. You should also know who the supervisory authorities are and get familiar with the scope, accountability, and penalties of these guidelines.
2) Determine Whether GDPR Applies To Your Organization
Now that you understand GDPR, you have to determine whether or not it applies to your organization — and if so, how will it affect you? To do so, you will first need to understand what data you actually have in-house, how it enters your company, where it flows from there, who has access to it, and where it is stored and how.
In addition, you need to examine your current data collection methods: Do my contacts know I am collecting their information? What did I tell them when I acquired their personal data? Do I have privacy policies that talk about retention policies or what I will do with that data?
No matter your company's size or whether you are forced to be GDPR compliant or not, any organization that is customer-centric should make data mapping a required process. Ask yourself:
- What personal data do I have stored in my contact database?
- How did I build my contact database? Are we utilizing any integrations (e.g., synch with a back-end system such as a CRM) that import contact information? Did we import our recently-hired salespersons' personal LinkedIn contacts without each contacts' explicit consent? Did we co-host a webinar with another third-party and receive a list of potential invitees?
- What is my legal ground for obtaining or processing personal data?
Be diligent and honest. This necessary assessment will allow you to take a strategic approach and spare you potential headaches down the road. Should it come to an audit, the burden of proof is on you and your data processor. Having done your homework will allow you to provide not only the promise, but the proof.
3) Understand Your Data Processor's Role
While former regulations focused primarily on the data controller, the organization who owns the data, GDPR is the first regulation that puts more responsibility on the organization who processes the data as well. This can be Google or Microsoft if you are using Google Drive or Office 365, your marketing automation solution provider like HubSpot or Marketo, or any other service provider who holds and/or processes your contacts' personal data. While this is great, it also means that you have to know exactly what your controller is doing as well!
4) Create Adequate Privacy Policies Going Forward
Now that you have done your homework, it is time to sit down with your attorneys, marketing team, and executive leadership to hammer out some guardrails on how your organization will ensure compliance.
One of the first things you will need to decide on (and you should implement as soon as possible), is how you will handle consent. Think about how you capture consent today. Are you using a blank checkbox or a popup to make your visitors aware of (and agree to) your privacy policies? Have you mapped "affirmative" consent? How do you let your subscribers know they can opt-out? Do you share with them what personal data you hold and why?
Your notice of consent should also include documentation of your processing activity, the purpose of processing, and where the data is transferred or stored, as well as any security measures you take for storing and sharing personal data.
In addition, you should provide more details on your retention policy. How long are you storing the personal data? What determines the lawful basis for continuing to process it and when does that expire? What is your deletion policy and how do you ensure it is enforced?
Last, but not least, a word of caution on double opt-in. While double opt-in is a GDPR best practice, it is not explicitly required, and can pose a risk if you can provide proof of consent through double opt-in for some of your contacts, but not all. Also, double opt-ins tend to have a lower conversion rate than single opt-ins.
5) Decide On How To Treat Your Existing Contacts
Now, the trickiest question of all: What do you do with all your existing contacts? Do you need to retroactively get their "affirmative consent" by emailing them and having them double opt-in? The answer, unfortunately, isn't very straightforward and it depends on your individual circumstances, your past marketing activities, and your organizational size.
The main thing to remember (besides speaking to your attorney) is to do your best. Show that you have done your homework and provide solid proof that you have been a responsible steward in the past. Consider retroactive activities carefully as these might be cost and time prohibitive and you might run into very low response rates. And what then? Should you delete all contacts that have not opted-in?
Again, start with an analysis. Which of my contacts have recently downloaded content or interacted with our emails? What happens to contacts that do not engage with us? Did we practice sound unsubscribe/opt-out policies? If you have a valid reason to continue to process an individual's personal data and you can prove that the person has engaged with you recently, you might be okay, but it is always best to consult with a legal professional!
However, you will need to provide all your contacts the ability to access, modify and delete their personal data. This can happen via a simple self-service page on your website. You can also leverage marketing automation to facilitate any set retention periods (via workflows) and tracking purpose processing.
Conclusion: Invest In Inbound Marketing
As security breaches are becoming more the norm than the big exception, companies must become more responsible stewards of their contacts' personal data by taking advantage of anonymous encryption, regular system tests, and confidentiality and resilience controls. The new EU regulations are a healthy and timely reminder to stop procrastinating until our organization falls prey to malicious activity and get ready now.
While direct marketing is explicitly called out as a legitimate interest, you will still need to prove that your interest is bigger than the personal data protection. This can be either contractual (if they are clients), direct marketing activities (lead nurturing) or because you need to hold information to provide support.
As you have seen above, companies who have diligently practiced Inbound Marketing already have a leg up compared to their competition. They haven't purchased email lists, they have an exact trail of how their contacts' personal information got into their database, and how they have used it since. They also can prove consent with some sort of opt-in as well as show ongoing engagement.