Note: this is article is for reference and education purposes only and is not legal binding advice or direction. You should seek legal council for official advise and direction regarding GRPR compliance.
On May 25, 2018, American companies doing business in the EU may have additional regulations to consider. That’s when the General Data Protection Regulation (GDPR) goes into effect. The GDPR is a regulation enacted by the European Union governing consumer privacy, but it protects EU citizens globally, regardless of where their data is located. If a US company has an EU citizen in its database, that company will fall under the new EU regulations and could face a fine for noncompliance.
So what can you do to prepare? First, know the facts.
What does the GDPR include?
The General Data Protection Regulation (GDPR) is having a global impact on how businesses handle consumer privacy and data. Since this degree of regulatory overview of personal data is unprecedented, businesses everywhere need to reevaluate and change their procedures to ensure the highest levels of privacy protection—or face a fine of up to $20 million euros or 4% of annual global revenue.
It is important to know that "personal data" is not just the possesion of a first name, last name or e-mail address but an IP address is now considered "personal data" as well.
Some of the main compliance factors:
- Assign a DPO (Data Privacy Officer) in your organization. It is noted that the DPO cannot be your IT personnel as that represents a conflict of interest.
- Handle consumer data carefully and understand and document the entire process consumers data goes through.
- Give consumers the control to monitor, check and remove any information pertaining to them. This includes the ability to give consumers copies of their data and how it is being used if they have asked for it.
- Ensure the consent of data collected. Have the ability to show that the company is processing personal data lawfully. The consent of users to give their data needs to be clear and transparent.
- Ensure data remains protected with new processes. (Think new positions within companies like data protection officer.)
- Encrypt or remove identifying data so it is unable to be associated back to a user.
- Implement processes to notify of any data breaches within 72 hours of discovery. As part of this, the company will also need to describe the nature of the breach, include the name and contact information of the data protection officer (or similar role), consequences of the breach, and what is being done to mitigate future adverse effects from the breach.
- Allow for a method of data "erasure" whether that's via a user-login dashboard with tools to allow for self-management of data limiting and removal or via a request form for data "erasure" from all availble data storage areas.
Overall, marketing efforts such as data mining, remarketing, location targeting, and more, will need safeguards and processes in place to ensure correct handling of data under the new GDPR guidelines.
What are companies doing to prepare?
Update your Privacy Policy
Your website's privacy policy is the keystone to GDPR compliance efforts. They main factors of new privacy policy should cover:
- How, where and why you collect personal data
- How you use that data collected
- How you handle data removal requests
- How you handle data breaches
Again, it is important to have legal council review and approve your Privacy Policy. Never copy and paste a Privacy Policy from another website or use a stock Privacy Policy format found online. Here's a great Privacy Policy example.
If you use marketing technology platforms—think media vendors, email marketing, dynamic content, social media, Google Analytics, etc.—you’ll be noticing changes in their privacy terms, new features being rolled out, and the removal of some audience targeting efforts. Here are a few of the efforts currently changing:
Social Media Platforms
Facebook is currently updating privacy concerns for both consumers and businesses. From a consumer perspective, they are simplifying the design and usability of privacy settings so users can more easily control which data is shared. From a business perspective, they are altering how businesses can advertise and target potential customers on the platform. These updates include:
- A new consent agreement from advertisers stating that the customer data being uploaded (think customer databases for lookalike audiences) have given consent to be marketed to.
- Phasing out the ability for businesses to target ads based on third-party data (such as in-market for auto or home purchases, household income, purchase behaviors and more).
Dynamic Content Platforms
These platforms add tracking pixels to a website to dynamically change the web content based on known actions of the web visitor. Companies are updating their features to remove any identifying data from audience segments, setting up functionality for “do not track” (or right to consent) settings for consumers, and adding the ability to request access or delete individual data captured.
Email Marketing Platforms
Email platform companies have been strict on consent and opt-in laws for some time, requiring that anyone being sent an email has agreed to it and can easily unsubscribe. Email platforms are taking it a step further with developing processes to provide data requests to consumers who are asking to know the use of their data and have the ability to remove it.
GDRP affects very common tools probably installed on your website including:
- Google Analytics
- Google Tag Manager
- Remarketing Pixels (proprietary, Facebook, etc.)
- Google Fonts
- Contact Forms
- Banner Advertising
- YouTube Videos
How will this impact your digital marketing efforts?
With a stronger focus on consumers’ data privacy and protection, new practices and ways of doing business will be changing. From a business perspective, here are things you should be implementing or talking with your marketing team about:
- Check your email signup forms. If you are gathering email signups online, make sure there is a clear statement that by submitting the form they are consenting to joining the marketing list and receiving advertising content, or if there is a checkbox ensure that it is not checked by default.
- Notify customers about cookies. If your site is using cookies or targeting data, it will become more common to see pop-ups alerting web visitors to the use of these pixels.
- Outline the ways your company gathers consumer data, where it is stored, how it is used. Look for areas of insecurity and ways to tighten the process up.
- Understand how your data is stored and what is required to keep it secure. What encryptions are used, backup procedure done, password requirements, and more.
- Turn to your legal team for guidance. With so much legal complexity (and extensive fines for noncompliance), make sure your legal counsel can sign-off on your data collection policies with regards to the GDPR.
Moving forward, it will be even more important to understand where your customer data is coming from, how it is being shared and stored, and who has access to it.
Other great resources
Official EU GDPR website
https://www.eugdpr.org/
GDPR broken down by Chapter/Article
https://gdpr-info.eu/
How To Make Your Website GDPR Compliant
https://www.elegantthemes.com/blog/tips-tricks/how-to-make-your-websites-gdpr-compliant
6 Insights About GDPR Compliance
https://abovethelaw.com/2018/04/6-insights-about-gdpr-compliance/
This is how Google is preparing for GDPR (related to products running on your website)
https://adexchanger.com/privacy/this-is-how-google-is-preparing-for-gdpr/
GDPR for eCommerce - the definitive guide to getting ready
https://www.omnisend.com/blog/gdpr-for-ecommerce-definitive-guide-free-gdpr-checklist/
MailChimp - Collect Consent with GDPR Forms
https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms