In today's online economy, personal data is one of the most valuable resources a company can acquire. Every website you visit, search you conduct, and picture you post to social media is gathered and used by businesses to more effectively market to their target customers. However, because personal information is so valuable, it's especially vulnerable to theft and misuse.
This is why the European Union is introducing the General Data Protection Regulation, or GDPR, to provide its residents with the power to enjoy better control over how their personal information is acquired and used.
The GDPR is a privacy regulation that was adopted on in April 2016 and will be introduced on May 25, 2018. Its purpose is to standardize the various privacy legislations that are in place across the 28 EU countries into a single set of regulations that will provide protection to all EU citizens. It places strict rules on how companies can acquire, store, and use personally identifiable information (PII), and it extends personal data and data protection rights, placing a much greater degree of control over data into the hands of EU residents.
Clearly, the GDPR will have a significant impact on companies that are located within the EU, but what implications does it have for businesses based outside of the EU?
While previous privacy legislations were predominantly framed around the party who is controlling the data, the GDPR is framed around the data subject (in this case, the data subjects include tourists, residents, citizens, and anyone else in the EU). This means that it doesn't matter where your business is located; if you will be targeting your goods or services for sale within the EU, your compliance is mandatory.
As stated by Information Commissioner Elizabeth Denham, the purpose of this new regulation is not to gain an excuse to place heavy fines on businesses; the focus of the regulation is to put the consumer and their right to privacy first. The GDPR provides the Information Commissioner's Office with a wide array of sanctions to help businesses comply with the new regulation, including warnings, reprimands, and corrective orders. The issuance of severe fines will be a last resort and will generally be reserved for severe breaches.
While a majority of the actions taken against organizations will not hit them in the pocket, it's worth noting that failing to adhere to the new regulation could possibly result in severe fines of up to four percent of annual global turnover or 20 million pounds, whichever is greater. Under the GDPR, fines will be roughly 79 times higher than they are under current legislature.
While the GDPR may sound intimidating, the truth is that there are really only three key areas that marketers need to focus on: how they handle email opt-ins, what data they are able to access, and what types of data they store.
Currently, businesses can make the default assumption that if a person provides contact information, they are willing to be contacted. Under the new regulation, this will be reversed. Unless a site visitor specifically and explicitly affirms that they would like to receive follow-up emails and promotions, the default assumption should be that they do not want to be contacted.
In practice, this means that a pre-ticked box that automatically opts in prospects and customers won't be acceptable; opt-ins have to be a deliberate choice.
This applies both to a marketer's owned lead sources (like their landing page forms and website) as well as third-party lead vendors who create lists of potential customers for the business to proactively contact. It's essential that marketing teams ensure that the media partners and lead vendors that are collecting prospect data on their behalf are GDPR-compliant. Otherwise, they could face legal repercussions.
The "right to be forgotten" is a focus of the GDPR, giving people the ability to control how much of their data is collected and used, as well as the ability to access or remove it. As a marketer, it will be your responsibility to ensure that your users can easily access their own data and remove your access to it. This may be as simple as including a clearly visible unsubscribe link within your email marketing template and providing users with a link that allows them to change or remove their personal contact information.
Virtually all marketers are guilty of gathering and hanging on to more personal data than they currently need, operating under the philosophy of "getting while the getting's good." The argument is that while that data may not be necessary right now, it may be useful in the future.
The GDPR requires that marketers provide legal justification as to why they're collecting the personal data that they are. For this reason, marketers should focus on getting only the most basic information that they need at that point in time, rather than attempting to gather the "nice to have" information that could be beneficial in the future.
While on the surface, the GDPR may sound intimidating, it's important to note that the regulation isn't designed to prevent businesses from effectively marketing to their customers. Marketers will simply be required to branch out from a one-size-fits-all marketing approach and further explore the needs of their prospects. The rules of compliance are simple: don't assume that someone wants to be contacted, make it easy for them to opt out of emails at any point, and don't gather and store information that you don't need.
If you can do this, then you're well on your way to being compliant.
Published by William Flaiz on 07-30-2018
220 NW 8th Avenue
Portland, OR 97209