Guest post by GDPR certified marketer Erika Goldwater
It’s countdown time for the pending General Data Protection Regulation (GDPR) which goes into effect May 25, 2018. And you need to be paying attention even if your business operates out of North America.
What is GDPR you ask? It’s only the most broad-reaching data and privacy regulations since 1995, when the last directive was put in place. The new regulations protect the individual and ensure that privacy and data protection become an integral part of business, not just an afterthought.
The legislation now takes into account modern marketing methods of data collection and new processes and technologies that may impact privacy and data storage including artificial intelligence, texts, and others. And although the GDPR it was written specifically for EU citizens (UK too), it impacts organizations globally because legislation is binding. Directives were viewed as suggestions by many organizations, but legislation is a different ballgame.
Why will marketers in the US be impacted by DGPR? Any organization that processes, stores, records or archives data of any EU citizen is subject to compliance under GDPR and it will impact all areas of organizations from sales, to marketing, to customer service across industries. There are many aspects of the 260-page legislation that marketers need to be aware of, but several aspects of change warrant explanation to ensure we are prepared for this paradigm shift in ownership and definitions of data and privacy.
Obligatory disclaimer: The content in this post is not legal advice. This is an aide to help marketers understand the terms and impact of GDPR. Organizations should consult legal and compliance experts when building GDPR compliance processes.
Scope – Any organization that processes, stores, records data of EU citizens is impacted. This means the organizations themselves, as well as any third party or outsourced organizations hired by the organization that handles or stores this data, regardless of the organization’s location or headquarters. Yikes. So basically EVERYONE, and it is important to understand the far-reaching implications of GDPR as other countries may revise their data policies based on this.
Definition of Personal Data – One of the most important aspects of GDPR for organizations and especially marketers to recognize is that the definition of Personal Data has expanded in a very big way. In the United States we typically use the term Personally Identifiable Information (PII) to define the types of data that are “sensitive”. PII includes any information, such as name, social security numbers or date of birth, that could be used on its own or in conjunction with other information to identify, contact, or locate a single person or identify an individual in context.
The EU uses the term Personal Data instead of PII and has added some very specific and broad categories that are now protected under GDPR. The new category, Sensitive Personal Data, includes ethnic, racial, health, biometric and genetic data. Political opinions and a few other types also fall under the Sensitive Personal Data.
Much of what B2B marketers collect and store will be considered Sensitive Personal Data including browser information, cookies, and IP address. Additional information regarding the definitions of Personal and Sensitive Personal Data can be found in this article, Personal data protection: data subject, personal data and identifiers explained.
Consent and Ownership- When marketers think about consent to use or store data, we often believe we have tacit approval from the individual to do so. We also often believe we “own” the data because we have collected it. This is an outdated view of consent and one of the fundamental changes the legislation highlights.
Consent is now clearly defined as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processes.”
Individuals also have a right to understand how their data was collected, for what purpose it is being used for and may change or retract their consent at any time. Pre-checked boxes of consent at the end of web forms will no longer suffice for consent. Organizations will need to prove they have consent to market to individuals as well, so bulk buying of lists or names is not a good idea.
Regarding consent, don’t panic. Building a preference center to obtain explicit consent will help manage consent. However, as mid-size and enterprise organizations often have many different CRM systems and siloed platforms, it will be imperative to tightly integrate all data and leave no margin for error. Once someone opts out, they are opted out of everything from text messages, telephone calls or emails without fail. This means even emails scheduled in marketing automation systems. It’s a breach of compliance if an individual receives a message once they have opted out. Pre-scheduled programs are not an excuse.
Individuals, not organizations, own their data, and now have the right to access, edit (rectification) directly and even completely erase (Right to be Forgotten or Right to Erasure) their data. If an individual requests access to their data, organizations have to produce the data without “undue delay” within one month of request.
This means organizations must know where every piece of data is stored (including recordings) so that the consumer may action it accordingly. Most organizations have data stored across different platforms, making consolidation and export of data requests challenging at best.
Act now If that is not enough to get you thinking about how DGPR will impact your organization, the deadline is fast approaching. The new regulations will go into effect May 25 2018 and the head of the Information Commissioner’s Office has been very clear in saying there will be no grace period for DGPR.
Lastly, you need to be aware of the penalties for not complying with GDPR because they are significant. Failure to comply may result in a €20 million Euro fine or 4% of company revenue. There is no time to waste in planning for May 25, 2018. Organizations need to conduct a full data assessment to understand where any and all data resides across their organization and hired third parties, and begin to plan to upgrade their processes to reach compliance. Build or update your preference centers now, and start thinking about data and privacy as the right of the individual, not the organization.
This will impact you. Be ready.