Warning: this content is older than 365 days. It may be out of date and no longer relevant.

You Ask, I Answer_ GDPR 101 for Marketers

A surprising number of marketers are ill-informed and ill-equipped to implement the largest change in data and privacy in the last 20 years: the General Data Protection Regulation of the EU, known by its initials, GDPR. With recent rollouts of new compliance features by companies like Google, some folks are hearing about GDPR for the first time. Let’s dig in a bit.

DISCLAIMER

I am not a lawyer. For legal questions, please consult a qualified legal professional.

You Ask, I Answer: GDPR 101 for Marketers

Can’t see anything? Watch it on YouTube here.

Listen to the audio here:

Download the MP3 audio here.

What is GDPR?

GDPR is an EU regulation which strengthens data protection and privacy for people in the European Economic Area (EEA) while promoting the lawful free flow of information across borders.

GDPR treats the personal data of all people within the physical borders of the EU (data subjects) as private property owned by the individual, no different than owning a car or home, and expects companies to treat that data with the same safeguards that they treat their own data.

GDPR isn’t a future pending legislative act. GDPR was enacted into law in May 2016, and enforcement penalties begin May 25, 2018.

The short summary of what GDPR constitutes includes:

Right to be Forgotten

EU data subjects may request to be forgotten by any entity; for example, an EU data subject could request that Google delete any data it has about them.

Right to Access

EU data subjects may request any and all data that a company has stored about them, free of charge.

Privacy by Design

Rather than be an add-on, companies are expected to design their systems for privacy from the ground up. This also includes collecting the minimum required data needed to conduct business operations.

Data Portability

EU data subjects will have the right to request data about themselves in a common, machine-readable format and be able to give that data to a different company if they so choose.

Companies doing business with EU data subjects will be required to vastly simplify consent requests – no more pages of unintelligible user licenses or tricks designed to mislead consumers into clicking/giving up their personal data.

Strengthened consent also requires us to obtain permission per use-case of a customer’s data. If we collect permission to use an email address for email marketing, we must re-obtain permission to use the same email address for retargeting/remarketing.

If you’re not doing business in the EU, you’re probably saying, “None of this applies to me!”. You’d be wrong…

GDPR Applies To Almost Everyone

GDPR impacts anyone who does business within the borders of the EU or does business with EU data subjects – and that’s almost everyone. GDPR is an extraterritorial regulation that applies to every company that collects data on people while they are within the physical borders of the EU.

Consider the implications of this for a business. Do you screen customers for their location at the time of processing? Almost certainly not, except for certain regulated businesses like healthcare and finance.

Here are a few scenarios in which GDPR might be unexpectedly invoked for a non-EU company:

If you collect customer data of any kind that could be personally identifying, such as name, email, IP address, device ID, etc., or you use software that does this on your behalf (Google Analytics, marketing automation, sales CRM), GDPR applies to you the moment you collect data from someone within the EU.

If your digital properties have received any traffic from the EU in the last year, GDPR applies to you.

If you’ve done business of any kind with an EU data subject, including non-financial transactions (free trial, download, free sample, etc.), GDPR applies to you the moment that person is on EU soil. Even a pizza shop in Nebraska, if an EU data subject gives their personal information while on holiday, could invoke GDPR when they return to the EU and receive an email from the pizza shop.

GDPR stands to impact advertising companies most of all. Advertising companies – particularly digital advertising – make money by aggregating and targeting audiences using consumer data.

Much of the current collected data is out of compliance with GDPR – specifically violating the requirements for strengthened consent – which means ad companies will need to scrub their databases vigorously to ensure they achieve data compliance. Additionally, many of the data-based targeting options in advertising will either go away or be severely restricted for any audience within or potentially within the borders of the EU.

For many marketers, proving consent for our existing databases to meet GDPR standards will be difficult. We may end up re-opting-in many of our marketing lists in order to meet the new consent standards; many landing pages and forms will also need to be re-designed for compliance. We will also need to re-obtain consent for uses of customer data that we did not explicitly obtain permission for at the time of collection.

GDPR Penalties

Some companies have logically asked whether just paying fines as a cost of doing business would make more sense than completely retooling their corporate data infrastructure, but paying fines for GDPR is a significantly greater, more expensive path than any legislation before it.

Per violation, companies may be fined up to 4% of their annual revenue or 20 million Euros, whichever is greater. The per violation part is important – if we violate the privacy rights of 10 people, we could face up to 200 million Euro fines.

Additionally, depending on the severity of the violation, company executives could face criminal penalties for noncompliance.

What Should the Average Non-EU Company Do?

To prepare, companies should immediately review the legislation with their legal counsel and perform an exhaustive risk assessment. The average GDPR rollout process looks something like this for the small to mid-size business:

  • Immediately review your internal data governance policies and practices.
  • Immediately check the terms of service for all data processors and controllers – companies that store and process your data. Companies like Google are sending out notices now about what they’re doing to comply with the law.
  • Adjust any relevant features, in coordination with your IT team and legal team, to be compliant in those software packages.
  • Publish updated privacy policies that are compliant with GDPR.
  • Create a point of contact like a project manager to handle GDPR requests, when an EU data subject wants to be forgotten or someone wants their data.
  • Simplify any user agreements or other terms of service to GDPR compliance standards – easy to understand, easy to read, no tricks.
  • Reduce the amount of data you collect to what is necessary for your business. Every unnecessary point of data will consume more time for dealing with GDPR compliance standards.
  • Web forms in particular should have links and/or prominent privacy and compliance notices on them.
  • If your site uses cookies, publish a notice about it on site.

For enterprise businesses, you’ll need the help of a major technology firm like IBM to reach compliance in time as well as legal and auditing resources.

GDPR isn’t the end of the world; once we reach compliance, we’ll be serving customers more responsibly. By achieving compliance with GDPR, we’ll also be compliant with most other privacy laws that are more lenient, so work to achieve compliance as soon as possible.

DISCLAIMER AGAIN

I am not a lawyer. For legal questions, please consult a qualified legal professional.


You might also enjoy:


Want to read more like this from Christopher Penn? Get updates here:

subscribe to my newsletter here


AI for Marketers Book
Take my Generative AI for Marketers course!

Analytics for Marketers Discussion Group
Join my Analytics for Marketers Slack Group!