We are less than a month away, but May 25, 2018 is a date we’ve had marked on our calendars for some time. It’s the date that the European Union’s new General Data Protection Regulation (GDPR) comes into effect. It means significant changes in how businesses across the EU and the rest of the world collect, handle and store electronic data of European Union citizens with specific implications for marketing startups. We are not unaffected by GDPR, where ever we are in the world, and we all, from the smallest startups to the largest marketing consultancies, need to understand what it means and how it works, and in most cases, implement some of its requirements.
For many, the Cambridge Analytica issues in which Facebook was recently involved, have shed light on this topic, but this has been in the works for quite some time and it would not be surprising if the United States and other countries begin to adopt some or all of the GDPR policies. Particularly in media properties online, the Social Media experience that Facebook revealed to us is an important reminder that readers such as yourself really need to be cognizant of the implications herein. While we have tried to tackle the big ideas in the GDPR, there are still a lot of unknowns until court cases are begin to occur, so we still recommend consulting with a lawyer that can address your business and potential compliance issues. Now that we have the legalese out of the way, on to the breakdown that we hope helps the MediaTech Ventures community:
What is GDPR?
The new General Data Protection Regulation was announced in 2016. Initially, organizations were encouraged to comply voluntarily with the understanding that it would become law in 2018. From May 25, organizations in every sector throughout the European Union – including private businesses, government organizations and charities, are required to adhere to the regulation. It sets down specific criteria for what organizations that hold data can and cannot do with it, including handling, usage, storage and disposal. It even provides owners of the data with new consumer rights – and that has critical implications for your marketing data.
It will create a standard right across the European Union where disparate and sometimes confusing requirements existed before. GDPR is designed to be one of the most robust pieces of legislation on data protection and storage and to unify standards for easier compliance. There are no plans here in the USA to change our current data compliance standards, but we are definitely not unaffected by GDPR!
Why Should Your Business Care about GDPR?
If the answer is yes to any of these questions, then GDPR will affect you:
- Do you presently work with any organizations based in the European Union?
- Do you have customers located within one of the 28 EU member states on whom you keep and handle data for marketing purposes?
- Do you have people on your email marketing lists that are EU citizens or you don’t know if they are EU citizens?
The regulation is designed to protect consumer data for citizens of EU member states and anyone with European Union citizenship. That means if you want to continue doing business with your EU-based partners, you will need to comply.
If you only do business in the United Kingdom and are breathing a sigh of relief. You shouldn’t be. While in June 2016, the United Kingdom voted to leave the European Union, if you work only with British companies, you will still be expected to comply with GDPR. The United Kingdom signed up to GDPR before the “Brexit” vote; following the vote, HM government agreed to maintain their adherence to GDPR.
Who Will GDPR Affect?
Regardless of the size of your business, or location, if you fit any of the criteria so far discussed, it will affect you. Further, as this data is being transferred, handled, processed and stored outside of the European Union, you are required to put certain safeguards in place.
But how you approach GDPR will depend on the size of your business. If you’re a startup or simply have a website based in the U.S., it’s useful to familiarize yourself with GDPR for a variety of reasons. Some contradictory information exists on the internet stating that if you’re a startup or small business employing fewer than 250 people, you are not bound. This is not true. Your requirements do vary based on size, but not to the extent that it doesn’t apply to startups. The only difference is the level of detail required. If the data is likely to present a threat to the freedoms and rights of the subject and is not subject to occasional processing, then GDPR applies. For marketing firms – even small ones – personal information that can inform a marketing campaign makes this sensitive data subject to the regulation.
If you are a much larger business (that is, employing over 250 people) and handle sensitive data of EU citizens, you are required to employ a Data Control Officer. Most organizations in the US already have one of those; the title is not specific and the responsibilities can easily be the remit of the person already responsible for data security.
Some Key Points and Best Practices of GDPR
GDPR is a lengthy document full of specifications on compliance. You don’t need to read it all; you may even find (depending on the size of your business) that most of it will not apply to you. As mentioned above, if you are positive that you have no customers inside the European Union and do not handle marketing data of people who do, then you don’t need to concern yourself too much. However, if it is likely that you will in future, it is useful to know the following key points about GDPR:
Data Collection
Any data that you collect for marketing purposes will now require explicit consent including details on which personal information you are collecting. It’s no longer viable to place discrete checkboxes on your email list sign up forms or lead collection page that you have “pre-checked.” The marketing customer must check the box willingly. Marketers we know are discussing creative alternatives to checkboxes, like an unselected dropdown menu that requires someone to select either “Yes” or “No” when asked if they agree to your privacy policy, or consent to being on your email list, thereby forcing a user to make a decision, rather than hoping for an opt-in.
Data Storage
When you store this data for marketing purposes, you must also keep information regarding its importance. Alongside this, you will also need to keep details of time-stamped and explicit consent to hold that data. You also have a legal obligation to explain to the customer where that data is stored.
Data Usage
GDPR also governs how you use that data. Even when you have permission from the customer for a primary purpose, you are not permitted to transfer that data to a third party without explicit consent to do so. Information can be held only for original intent. No retroactive permissions may be applied; if you wish to use it for other marketing applications, you must seek explicit consent once more.
Consumer Data Rights
Now, all EU citizens, regardless of where the holder of their data is in the world, has a right to know who has their data and what data they hold. They also have the right to request that you delete any and all information under a clause generally called “The Right to Be Forgotten”. Queries regarding what information you hold should be answered promptly; they may request that you delete any information you hold.
Procedure for Data Breaches
Data breaches will have a set procedure. You are required to notify the relevant data regulator within 72 hours of noticing the data breach. They will then decide on its severity; you are then required to notify the data owner of the breach including details of what was taken and what you intend to do about it. There is an exception when the data is encrypted to the extent that the information would be indecipherable with the decryption key.
The Effects of GDPR Non-Compliance
It’s been pointed out that all businesses that deal with EU citizens must comply. To ensure compliance, the European Union has put in place certain standards and penalties for organizations that fail to comply. You may face a fine of up to up to €20,000,000 working out at around $24,450,000 US or a maximum of 4% of your organization’s global turnover (before any taxes you pay are deducted) for the last financial year – depending on which is greater for top-tier violations.
That is the maximum.
The regulator will take into account a number of factors including the duration and severity of the violation, whether there was malicious intent or negligence, whether you have a history of violation (f you’ve persistently flouted the law), the harm that the data owner suffers (if any), responsibility of the data controller and cooperation with relevant authorities.
Lower tier violations are slightly lower with a maximum fine of €10,000,000 or around $12,225,000 USD, or 2% of turnover.
As for who will investigate and impose the fine, that depends on which member state the EU citizen resides. This can be complex as each nation has a separate Data Protection Authority which could complicate things, even more so for organizations such as yours that do not operate inside the European Union.
—
As the founder of The Pony Group, a Fractional CMO and business advisory firm in Austin, TX, I have found myself researching GDPR in depth thanks to our local clients doing business abroad, along with our global clients based in the EU. It has been a whirlwind of research and learning, which is by no means all covered here. There are endless resources available, including all of the EU’s official resources, which can be found here: GDPR (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL). From a legal standpoint, this is meant to be an introduction, so you should definitely consult your own legal experts for compliance advice as it relates to your own business and data practices. This likely is only the first of many data regulations that will be created and will affect the marketing and technology industries, so buckle up and get ready for the ride ahead.
Nice work!
Thanks Michael! I also need to shout out to you for helping me with a lot of the research that went into this!
The interesting thing is it’s not as stringent as I thought. As long as you can trace data, audit it’s portability and have policies in place for deletion you’re in good shape. Still trying to figure out how they will enforce.
There are a lot of question marks around enforcement that are going to be a “wait and see” type of mindset. Some smaller businesses I have spoken with have the mindset that they will only focus on the big corporations. Interesting times!
[email protected]