The countdown is on: Only two months are left for companies to ensure they are in compliance with the European Union’s General Data Protection Regulation (GDPR), set to be implemented on May 25. The regulation will apply to all businesses that hold and process personal data collected in the European Union, regardless of those businesses’ industry or location.
A bit of history: before GDPR, the EU relied on the 1995 Data Privacy Directive, which proved difficult to enforce, and compliance levels varied across the EU. Although countries like Germany and the Netherlands employed rigorous controls, some countries had virtually no controls whatsoever. The GDPR is designed to tackle that issue and ensure all countries deploy comprehensive controls to keep EU residents’ and visitors’ data safe.
The new GDPR rules are in the form of a regulation—imposing data protection standards that should, in theory, be the same in all 28 EU member states.
GDPR is serious business, and US companies and CMOs need to understand the huge impact it will have on cybersecurity and business operations as a whole.
What is GDPR?
There is a lot of misinformation out there about GDPR, so let’s start by defining it. The GDPR is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. The deadline for full compliance is May 25, 2018. Those that do not comply risk being fined up to 4% of their annual revenues, up to €20 million.
Does GDPR apply to data already in use by an organization?
A common misperception is that GDPR applies only to data collected after May 25, 2018. That is false. Existing customer data may become largely obsolete once GDPR comes into force, because individuals must give an explicit opt-in—they must expressly agree to allow an organization to contact them—before they can be marketed to.
This development is likely to be a headache for CMOs, in the EU and beyond, who have amassed tens of thousands of individuals’ details for marketing purposes, all of which could now be next to worthless without each individual’s explicit agreement.
What if we are not an EU-based company?
Another misreading of the rule is that GDPR affects only companies based in the EU. The reality is a lot more complex for businesses based beyond EU borders.
If an organization based in the US (or any non-EU country) offers goods or services in the EU market, the organization will be expected to be compliant. Even if a company is not physically present in the EU, it will be expected to comply if it processes the personal data of EU residents or visitors.
Most US. companies are not prepared. An Imperva survey on GDPR awareness found that 57% of IT pros surveyed were not preparing for GDPR.
What will happen to my data-collection methods?
The upcoming regulations will also require marketers to be inherently more transparent, and they will crack down on the sale and renting of third-party data. Businesses will need to provide specific examples of what they intend to do with consumer data, and all parties involved in the data process must be named. The way that marketing interacts with that data will require targets to opt in to specific interactions.
How do citizens’ data rights impact data handling?
Two of the most important elements of GDPR for marketers are the “Right of Access by the Data Subject” and the “Right to Erasure.” GDPR grants EU citizens the right of access, which includes the ability to inquire whether their personal data is being processed and for what purposes. That means marketers will need to prove that they can effectively search and retrieve data processed on individual citizens and respond to inquiries in a timely manner.
In addition, to comply with the right to erasure, organizations will need to be able to quickly identify all data being collected about a customer through a variety of channels and prove the data can be extracted if it is no longer necessary. Doing so will be challenging; it may not be easy to tell whether an email communication is coming from the same customer, who may have used separate contact info previously.
What will happen if marketers do not play by the new rules?
The scale of the fines that GDPR will allow legislators to impose is set to drastically increase. In the UK, the Information Commissioner’s Office (ICO) is the body responsible for imposing fines and can currently do so only up to £500,000 per incident. However, according to an analysis by the NCC Group, the fines ICO imposed on all UK businesses in 2016 would have shot up by more than 7,000%, from £880,500 to £69,000,000, if GDPR-level fines had been in place.
That, of course, creates a much more tangible financial incentive for CMOs to ensure they are working within the GDPR framework; an imposition of a fine that drastic could have serious consequences for the wider business.
How should I start preparing?
The most important actions CMOs can take now are…
Meet with Legal. Sit down with your legal and compliance teams to find out how your company is preparing. If your legal team is not preparing, you may need to convince them to read the regulation and perhaps get outside counsel to advise them.
Review how data is collected and stored. Review and update methods of data collection. Make sure to have prospects opt in, and move away from covert tactics to more transparent ones. You should have a process to track and map the data on your systems.
Talk to your vendors. A best-practice is to make sure your vendors—especially list or data brokers, but also software vendors—are themselves compliant or planning to get there. In the related world of data breaches, it’s often the brand and not the vendor that bears the brunt of fines.
Know what implies consent. Understand the GDPR rules around the actions of prospects. For example, if a prospect clicks a box for a price quote, that may qualify as opting in to further contact from Sales and Marketing since the action was taken in a sales context. However, if the prospect downloads a whitepaper, you may need further consent before you can reach out.
Set a date. When will you start this new approach to data collection? Get started as soon as possible for minimal interruptions to your lead funnel.
The potentially large penalties, combined with the high probability of brand damage, means marketing departments must understand the rules and adapt approaches. The more you know, the better your choices.