The European Union’s General Data Protection Regulation (GDPR) requirements go into effect this month, but what does that mean for marketing professionals around the world?
What is GDPR?
When it comes down to it, GDPR is all about giving EU citizens control over their personal data, and this legislation takes a very broad view of what constitutes personal data. Anything from names, addresses and photos to IP addresses, date of birth and even genetic data is considered personal information and is protected under the law. There are still a number of open questions on how this will affect businesses and the digital world, but a few key requirements are clear:
- If you are collecting and storing personal data on EU citizens, you must have their explicit consent and a clear strategy to protect them from a data breach
- If a data breach does occur, those affected must be notified within 72 hours
- Data must be made available, both for auditing and for citizens to access, edit and/or erase upon request
My business is based in the U.S. – will GDPR affect me?
The short answer is yes. With regulations impacting any company operating in Europe, implications will not only affect companies headquartered in Europe, but any company that offers products or services there or interacts with EU citizens’ data. GDPR is the result of increased consumer demand for data privacy, working to ensure personal data is gathered legally, and that those who collect the data are able to ensure its security.
How can my business ensure compliance?
The first step in preparation and compliance is to assess your data collection methods and the data you currently have on file. For marketers, there are a few key considerations to take into account to ensure you are in compliance when gathering information, whether that be through mailing lists, website analytics, etc.
- Ensure you are gaining consent for data collection through clear and concise terms and privacy policies
- Have a strategy to consistently renew consent from subscribers
- Ensure your records are organized and readily available for audit or citizens’ requests to access, edit or completely erase the data you have gathered on them
- Update your crisis communications strategy to include data breach reporting
What are the consequences for non-compliance?
Failure to comply with GDPR will result in costly fines, up to 20 million Euros or four percent of a company’s annual turnover. Fines will be greater for organizations who intentionally transfer personal data or ignore citizens’ requests for their data. Lesser violations such as failure to communicate a data breach in a timely manner will be punishable by fines of 10 million Euros or two percent of annual turnover.
What should I do right now?
The best first step you can take as a marketer is to work closely with your legal and IT teams to ensure all of your data collection and handling processes are clearly defined and to close any gaps that become apparent in that process. A clear crisis communication strategy is another crucial aspect of compliance that you can develop in advance. Whether you have a plan in place or not, organizations across the board should consider reviewing and updating crisis plans to include GDPR compliant data breach communications and avoid costly fines.
Dan Horn is an account supervisor at Franco. You can send him an email at firstname.lastname@example.org.