If you have a business page on Facebook, you might’ve noticed several notifications all about GDPR (General Data Protection Regulation) on your page over the past few weeks. If you’re in the US like we are, you probably checked it out and then became a bit confused about what it really is. Then you might’ve started digging around about it and started to see how much there is to it (as well as how much confusion there is encircling it). Even though it’s a regulation being imposed by the European Union, it absolutely has global ramifications and will have a serious impact on American businesses. That’s for certain.
GDPR goes into effect May 25th – just a few days away. And one thing we know is this: more than 60% of companies will miss this deadline (purely because they just won’t be able to manage to get GDPR-compliant in time due to the lack of talent, resources, time, etc.) and only 7% of companies are GDPR-compliant right now according to a report compiled by Crowd Research Partners. Among some of the bigger things companies will have to do: appoint a DPO (Data Protection Officer) with specific qualifications, hold and document trainings for their employees on GDPR-compliance for their organization, do a thorough assessment of their current data as well as third party providers who may help process people’s personal data, create a response plan to be able to quickly provide proper and accurate information within 72 hours (weekends, holidays, etc. included) of a data breach – among other things. The consequence for non-compliance? Could be fines up to a cool €20M (or 4% of your global revenue – whichever is higher).
Got your attention yet?
Below we hit some of the biggest highlights for you to consider – like:
- What is GDPR?
- How exactly is personal data defined?
- Why has it come about seemingly all of a sudden?
- Where is it?
- Who and what does it effect?
- What does it change about the way we do business?
- When does it take effect?
- Why should I care and what should I do?
We also included some GDPR / Marketing-related acronyms and terms that you’ll need to know. This is not an all-encompassing list and we’ll have to come back with more info, perhaps even an expert to talk with us on the subject, etc, but this is enough to get you started. You can also check out our video below as well which gives a little bit more info / illustrations / ways to think about this new regulation from the EU. Finally, here’s the full guide to GDPR by the ICO (Information Commissioner’s Office). It’s about 88 pages and a cool 50,000 words. Not to worry – here’s the high level to get you started:
WHAT is it?
GDPR = General Data Protection Regulation. It’s designed to increase the protection of EU residents’ personal data. It also gives EU citizens more control over their data. Truthfully the premise behind it is not bad. If you take off your marketer or business hat and think of yourself as just a consumer, this GDPR-ness will make a lot more sense. It essentially says that everybody has the right to privacy and security of their own data. You should be able to opt-in to what you want to. Opt-out of whatever you want to, whenever you want to – easily. Find out what data any organization has on you at any time. Ask them to delete it all if you want – at the drop of a dime. GDPR is really designed with the protection of individuals in mind.
WHAT is the definition of personal data?
GDPR’s official definition? “Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.” What does that really mean? It’s info like this that you might expect – name, email, phone number – and other info we might not typically consider – ID numbers, location data, IP address, online identifiers, company registration numbers, date of birth, cookies, tags, pixels, religious info, ethnic info, biometrics data, health data, financial data, kids info. Get the picture? Anything that can be used to personally identify you as you.
WHY is it?
Its core premise is that privacy is a fundamental right. It’s an update to an existing regulation from the 90s. So it has to evolve as our technology evolves. This has actually been in the works for two years now and bigger corporations like Facebook, Google, Amazon and others have certainly have a leg up on it since then. The funny thing is that I actually lived in the UK before and I can tell you one thing: the Scottish and British alike are quite skeptical and highly suspectful in general. They’re very careful about their information. Everyone uses chip cards now instead of the “old school” slider cards, but whenever they have to input pin information at a register, ATM, etc, they ALWAYS shield it with their hands. I actually lived there just before America started adopting the chip cards so living over there with a “slider card” – people thought we were such “in the dark ages!!”
I think it’s part of European culture to be quite skeptical of what data is being used for. Truthfully, as you might imagine due to their history and how data was used against them in the past, the most careful and skeptical country of all in the EU is Germany (one word: holocaust). Therefore, they have the strictest rules. So prior to GDPR, every country kind of had their own DPA’s (Data Protection Authorities). Now, citizens can either complain to their local DPA which will funnel it up to the GDPR level (I’m assuming the ICO), or they can go directly to the ICO (again, if I’m not mistaken) – but basically a EU-level DPA who would then work with their local DPA to handle data handling complaints, etc.
WHERE is it?
It’s for the EU but it effects anyone who does business / could potentially collect any kind of personal data from EU citizens.
WHO does it effect?
Anyone who sells to, targets or could come across personal data from EU citizens. EU = 26 countries. Currently includes the UK. Once Brexit hits, we hear they will have their own version of GDPR.
WHAT does it effect? What does it change?
This completely changes the way data is handled. Everything needs explicit consent now. We can now only process data we REALLY need! Now you need legal justification for why that personal data is being processed. It will force us to focus on the critical data (not the nice-to-haves). That’s hard for us because we want it all “just in case” – for future segmenting, etc. We will also have to radically re-engineer our processes for data handling.
- Email Marketing: Your email lists. Might be a good idea now to make sure people have positively opted in to your lists – that it’s still OK to send them information.
- Social Media: Like Facebook custom audiences. We’ll now need separate consent form from the individual for their email to be used for promoted social media posts.
- Requests for data access: people can now request that you give them a full report on any data you have on them at any given time. When, how, to what they consented, plus the data you hold.
- CRM Platforms (Customer Relationship Management): obviously a critical holder of data for your organization. You’ll want to make sure it’s organized well to accommodate quick requests for information. You also want to make sure that you’re not holding on to “unnecessary” data – another thing you can get your hand slapped hard for.
- Get Rid of Pre-Ticked Boxes: People also need the ability to withdraw consent for each distinct processing activity (no blanket consent) – e.g. email signup forms that pre-tick everything.
- No “Pre-condition of Service”: Can’t make people do it before they’re able to receive your service / product (unless it’s a newsletter).
- No grandfathering: applies to ALL personal data you currently have, not just data obtained after May 25.
- Provide clarity: Give as much detail as possible on what their data will be processed FOR and WHO will be processing it. Clearly communicate to your audience about this. What’s happening with their data – when, how? Tell them what you’re collecting, that you’re going to protect their data and do what you say you’re going to do.
WHEN is it? Deadline of May 25.
WHY should I care?
- THE NEGATIVE SIDES: The penalties are nothing to laugh at. Fines can go as high as €20M or 4% of global revenue (whichever is higher). So if you end up sending emails without appropriate consent, guess what happens? You’re going to get fined. Honda and Flybe got fined £83K for the emails they sent back in March 2017. Could cause you to lose customers. Could cause you to lose trust. Consider the cost of obtaining a customer in the first place.
- THE POSITIVE SIDES: Opportunity for transparency and trust, deepen relationships. Competitive advantage.
WHAT should I do?
- Analyze your data collection process: how do you currently obtain consent? “Positive opt-in with CLEAR affirmative action” (no pre-ticked boxes anymore). True opt-ins.
- Know WHERE your data is, WHY it is there and HOW you’re using it: Create a list of all the systems that hold data. Where is it getting shared? Do you keep personal info? You need to be very clear and aware of what it is that you’re collecting and why. Understand how data moves in your organization – particularly with regards to the transfer of data to third parties.
- Appoint a Data Protection Officer (DPO): Generally, the rule of thumb I’ve seen out there is if your organization has 250 or more people, you should seriously consider either a full or part-time (can be contracted) DPO. If you’re smaller, appoint someone in-house that can serve as your own internal DPO. In an extremely helpful video, Greg Reber of AsTech says that for bigger organizations, the DPO that you will hire requires professional qualifications and likely should not be your IT head, marketing head, etc. DPO’s have law degrees, public administration degrees. They need to have the ear of senior management and should report to that level of the organization. They should be involved with training of your organization, etc. – which we’ll also get to. The DPO delivers PIA’s (Privacy Impact Assessments) and should be viewed as an internal policeman of sorts.
- Have a response plan & proactive plan: speed matters – you’ve got to be able to put your hands on what records were exposed when a data breach occurs – and you need to be able to do that inside of 72 hours (and no it does not matter if that falls on the weekend, if there’s a holiday. It’s 72 hours, period). You also need to have prepared comms ready to go.
- Security Systems: the point of setting up these systems is to ensure you’re doing the most you can to protect people’s data.
- Comms Contacts: Make a list of everyone that needs to be contacted when a data breach occurs – your internal list, legal, etc.
- Comms Templates: Go ahead and create communication templates so you already largely know what to say in an email, what info should be reserved for phone calls. Consider all your stakeholders: controllers, processors, customers, stakeholders.
- Training: Get your trainings in place. You will need to be able to document the trainings that your organization undergoes for this. And be warned – there are already reports of people attempting to do GDPR trainings for companies that are giving erroneous information! Make sure you check them out thoroughly and involve your DPO in making sure the training process is vetted for its content and validity for your own organization.
GDPR / Marketing Terminology & Acronyms:
There are a lot of acronyms and terms associated with this topic as well. Here are a few you’ll see a lot:
- PIA: Privacy Impact Assessments (large organizations will be required to do this)
- PII: Personally Identifiable Info
- DPO: Data Protection Officer (like your internal policeman for GDPR)
- ICO: Information Commissioner’s Office – the UK authority who will implement and police regulations
- DPA: Data Protection Authority – gives out fines, reinforces limitations on your organization, educates organizations on risky processes you might have. Can also deal with local DPA’s.
- EC: European Commission of the EU (European Union)
- PECR: Privacy and Electronic Communications Regulation
- Data Controller: the organization who makes decisions about how to process and treat data. You originally collect it. You provide the privacy notice. You meet transparency requirements.
- Data Processor: Works with you – a third party – to process data. They could implement campaigns for you, decide what they’re going to do with that data (which would make them a joint controller).
Other helpful resources and content on GDPR:
My understanding of GDPR was immensely helped by some of the below articles and videos. These are some of the best experts I’ve found so far on the subject (among several):
- GDPR Requirements, Deadlines and Facts by Michael Nadeau of CSO
- How Will the GDPR Impact Digital Marketing Professionals? – by Peter McIntyre of Edelman
- What Small Business Owners Should Know about GDPR and Why – by Brett Piatt of CSO; Steve Ragan interviews Greg Reber of AsTech
- Countdown to GDPR: The Role of a Data Protection Officer – JDSUPRA Podcast with Jonathan Armstrong, Partner at Cordery Compliance Ltd in London.
- GDPR and Privacy Shield
- Full text of the GDPR
- Market intelligence report on GDPR
- The European Commission’s public site on GDPR
- Data Protection Authorities’ GDPR guidelines
- Privacy Shield
- U.S. Department of Commerce Export Resources and Office Network
What questions do you have? Is there new / updated info to this that you’re aware of? Please share it in the comments below – we’d love to hear from you! Becoming truly GDPR-compliant is going to be a long road for a lot of companies. We’re here to help you get there and especially keep apprised of best practices as they come out.