As of May 2018, the EU’s General Data Protection Regulation, the most expansive government legislation on data protection yet, came into effect. This legislation is extremely consumer-oriented and codifies what responsibilities businesses have in terms of collecting, protecting and using personal data.
What’s more, businesses found in breach of any GDPR requirements can face hefty fines, either 4% of annual global turnover or €20 million in extreme cases. That means that you ignore the GDPR at your own peril.
GDPR requirements apply to any personal data of people with permanent residence in the EU. So your company will come under its jurisdiction if it processes personal data of European citizens, regardless of where you’re based.
Additionally, the GDPR does not delineate requirements based on size. Any business from a mega-corporation to a mom and pop operation is beholden to them if they work with data pertaining to EU nationals.
Depending on how many impressions you get from Europe, there’s a good chance your digital marketing apparatus could fall under the purview of the GDPR requirements. If that’s the case, then you have to make major changes to your privacy policies and be aware of these pillars of the general data protection regulation.
GDPR Right to be Forgotten
Perhaps the most radical tenet of the General Data Protection Regulation, the GDPR Right to be Forgotten gives users the ability to request that their personal data be erased completely, so long as certain conditions are met.
The difficulty of the GDPR Right to Be Forgotten is making sure their personal data is erased from all archives and processes, even those under the purview of sub-contractors, like a marketing agency. This connects to another key GDPR tenet: privacy by design.
Privacy by design is not a new idea, but refers to the general policy that data protection and respect for privacy needs to be built into marketing systems from the outset, rather than as an inconvenient addition.
That means that at every step, your marketing team needs to consider questions like “Is the data we’re compiling necessary for our purposes? Are we taking reasonable precautions to protect that data? Are there processes that will let us quickly delete unnecessary data?”
While potentially frustrating to implement, privacy be design is a good way to build brand loyalty in a time where consumers are more concerned about data collection practices than ever before.
GDPR Marketing Consent
Another central tenet of the General Data Protection Regulation is that you need to make sure any data you acquire from web users through cookies or other tracking protocols is taken with their full consent, especially when it comes to marketing purposes.
What’s more, GDPR marketing consent needs to be given under “concise, transparent, intelligible and easily accessible form, using clear and plain language.” This means that terms and conditions policies need to be written so that the average person can understand what they’re beholden to and what information they’re giving up.
Once a user does give GDPR marketing consent, they can also withdraw it at any time without penalties. Specifically, the bill states “It shall be as easy to withdraw as to give consent.”
Data subjects can also request access all the information you have on them, as well as how that data is being used, free of charge. They can also ask to transfer all your data on them to another organization, including rival businesses.
GDPR Breach Notification
Under the GDPR, companies are required to inform users and appropriate officials of a data breach within 72 hours. Within that time, not only do you need to assess the extent of the data breach, but you also have to craft a public statement that includes certain information. And that’s not including other damage control and crisis comms efforts your team needs to jump on.
What Should I Do?
If you’re feeling overwhelmed by all this, the first thing you need to do is check your analytics and see if you have data coming in from Europe. If you fall under the law’s jurisdiction, then you and your lawyer need to read the full text of the GDPR and draft new privacy policies that fall in line with it. For more information about the GDPR and to see frequently asked questions, visit the EU GDPR official website.
To ensure your website and associated data is secure, Eden Advertising will take every opportunity to keep your operations up to date with the latest security protocols, including acquiring SSL certification. Contact us for more information.