What Is “GDPR” and What You Can Do To Be Compliant
Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.
What Is “GDPR”? And Why Businesses Should Care
GDPR stands for General Data Privacy Regulation. It is a new EU (European Union) Regulation that significantly enhances the protection of the personal data of EU citizens and increases the obligations on organizations that collect or process personal data of EU citizens.
Even if an organization is based in the U.S., if it controls, collects, or processes the data of EU citizens, the GDPR will apply — which is why so many of them are updating their terms and policies, and subsequently notifying users. This is *not* a result from the Facebook privacy breach… that is just a coincidence.
This regulation applies to internet businesses as well. If at any time, you’ve used an email database, collected email addresses, used the Facebook Pixel to track user data on your website and then remarket them with ads, use cookies on your website to track user data, process online payments, or collected any personal user data in any shape or form, it is in your businesses best interest if you update your privacy polies, terms & conditions of agreement, etc. to let people know how you handle and use their personal data.
And you have until May 25, 2018 to update these policies and notify your users or you could face hefty fines if you’re found to be in violation of the GDPR (up to €20 million or 4% of their global annual revenue [whichever is greater]).
You may think you’re fine since we’re in the U.S. and you don’t think you have any EU citizen’s personal information … but the keyword is *think*, so are you 100% sure? If you use Facebook’s insights and go to the “people” tab, you’ll see who your fans/followers are – my guess is some might be in the EU. What about the people who go to your website and fill out a contact form? I will venture that some of those people are in the EU too, and if your email automation captures email addresses of those who fill out contact forms, guess what? You need to update your privacy policy & terms and conditions in order to be compliant.
Don’t forget about your email lists! Do you have any EU citizens on your contact list? Do you know for sure? How comfortable are you with risk in your business? We would recommend updating your policies & procedures just in case so you’re 100% compliant so you don’t find yourself in hot water later.
The companies who have purchased email lists, used cold emailing tactics, or used other questionable outbound marketing tactics will be impacted the most. These marketing tactics will no longer be allowed on EU citizens after May 25, 2018. And in our opinion, shouldn’t be used on U.S. citizens either!
Let’s face it, these tactics are a bit outdated and ineffective. If you can use inbound marketing strategies that put the consumer first, and attract customers through valuable content and problem solving, you will get people to opt-in and receive your communications, legally and ethically.
How Does The GDPR Going To Affect Our Marketing Strategies?
The GDPR regulates how a business collects, stores, and retains a person’s personal information, so you’ll need a plan for how you do this. So far, we’ve talked a little about collecting data, but another key aspect we suspect will affect businesses is the data retention. A business is only allowed to keep the data as long as there is an active relationship between the customer and business, so you need to have a plan in place to go back and delete any customer data you’ve collected once that relationship is terminated.
Additionally, when a business stores customer data, the company needs to document, document, document. When in doubt, document. That way, you will be able to show the what, where, when, and why surrounding a customer’s personal data.
Auditing your databases will be a time-consuming, pain-staking process, but you can rest easy knowing you’re in full compliance, using legal and ethical processes!
Another important item to document surrounds the area of when a consumer gives you their consent; this way there is no question that you obtained their data legally.
To verify consent, all EU records in your database should have:
- Opt-in date and timestamp
- Opt-in source
- Opt-in IP address (if available)
And just a reminder, tracking BOTH data consent and email consent as one does not guarantee the other. However, giving email consent can constitute data consent, if appropriate privacy policies are acknowledged by the consumer.
Speaking of consent… guess what, there are restrictions on this aspect too.
What It Means When a Consumer Gives Their Consent
Did you know that it is no longer allowed to bundle a consumer’s consent (opting into marketing communications) with another action, such as downloading a free paper?
You may, however, include it as a separate action on the same form if your opt-in checkbox is unchecked and not required to download the promoted content asset. And always ALWAYS link your forms to your privacy policy!
We will provide links at the bottom of this blog that will provide further details about the GDPR, like GDPR checklists, a guide to GDPR, guide to auditing your database, and a link to the differences between CASL (Canadian Anti-Spam Law) and GDPR.
Why Marketers (and Companies) Should Welcome the GDPR
Don’t get us wrong, this may be a painful and time consuming change for businesses to make, but as with most changes that are happening in the online world, businesses that are early adopters will appear trustworthy in consumer’s eyes! So don’t look at it as a horrible thing that you’re being forced to do… think of it as another awesome opportunity for your business to stand out when competing with other businesses!
HubSpot Marketing Fellow, Sam Mallikarjunan, says: “Just like we had to teach people to shred their bank statements, we need to teach people the basic ways in which your privacy can be abused.”
As consumers become educated in protecting their personal data, they will respect your company for being proactive in this area, as it shows that your business cares about them as a person, and not just another sale or dollar sign.
Greater transparency between companies and people is key and will lead to greater understanding about why and how people should share their data.
Think of this as a user, from your own personal perspective… you would want to know what companies are doing with your personal data, right?
Again, this is currently a EU regulation but I believe will become a U.S. regulation in a year or two; this is a huge opportunity for businesses to articulate the importance of people sharing their data and how it leads to greater personalization, better products and services, and a more efficient data economy.
As companies, let us be proactive to help start this discussion and shape this new era of marketing.
Resources:
Hubspot. (2018, February 28). What is the GDPR? And What Does it Mean for the Marketing Industry? Retrieved from Hubspot Blog https://blog.hubspot.com/marketing/what-is-the-gdpr
Miles, Michelle. (2018, March 6). GDPR Requirements for Consent: What You Need to Know. Retrieved from Perkuto https://perkuto.com/blog/gdpr-requirements-for-consent-what-you-need-to-know/
GDPR Checklist: https://www.hubspot.com/data-privacy/gdpr-checklist?_ga=2.192949353.518684906.1524855289-1518893851.1524855289
GDPR Guide: https://www.hubspot.com/data-privacy/gdpr?_ga=2.187525228.518684906.1524855289-1518893851.1524855289
How To Audit Your Database: https://perkuto.com/blog/how-to-avoid-a-20-million-mistake-with-your-data/
Differences between CASL and GDPR (scroll down the page about halfway): https://perkuto.com/blog/gdpr-requirements-for-consent-what-you-need-to-know/
