What US Companies Need to Know About GDPR Before May 25, 2018

The General Data Protection Regulation (GDPR) aimed at protecting personal data of European Union (EU) citizens goes into effect this May 25. If you don’t have a business location in the EU, you might think you are immune. But if you target customers in Europe, or are processing data from prospects in the EU—even if only collecting or storing email addresses—it applies to you. And the standards and stakes are high.

The penalties for non-compliance—with 20 million Euros in fees or 4 percent of global annual turnover, whichever is higher—can be severe. Every business that interacts with customers in the EU, online and/or via email, is liable. It also covers browser cookies/ history, downloaded content, and demographic data collected.

Yet, despite the quickly looming deadline and the potential for severe penalties, 70 percent of marketers in global organizations say they are not fully aware of GDPR implications, according to a study from the World Federation of Advertisers.

So, what do you need to know about GDPR? The following are a few high-level points every executive and marketer should know.

As a manager or marketer, you are the one responsible for data protection
GDPR seeks to change how businesses collect, use, and disclose how they will use information from prospects, or “data subjects” for email marketing and lead generation. It breaks down the roles of individuals at organizations involved in these processes into either controllers or processors. Controllers determine the purpose and means of processing personal data. A controller can be a company or a marketing person. Processors, conversely, process the data on the behalf of the former. A processor could be an IT person and/or a technology company, like MailChimp, Unbounce, or HubSpot. Controllers and operators each have specific requirements in GDPR. Collectively they are responsible for data protection. However, the controller has primary responsibility for demonstrating their companies’ compliance, even where processing is carried out by a software provider.

Obtaining consent, and keeping track of it, will be very important
GDPR requires that marketers gain a “lawful basis for processing” personal information. This can include leveraging personal information to communicate about information necessary for performance of a contract (such as providing updates on services or warrantees to customers), or a legitimate interest to the individual (regarding related products or services, and with the ability for them to opt-out), or for which the organization has obtained verifiable consent to process personal data. To prove verifiable consent, the organization must have a written record of when and how prospects agreed to let the organization use their information. A pre-checked opt in box may not be considered sufficient. If you bought a list and do not know the source of the data or have explicit, verifiable consent to contact those individuals, that could be a major problem.

Prospects must be informed of exactly how you will use their data
Organizations must make sure individuals are clearly informed about all the ways they might use their data. When you attract consumers to your website and collect their data (via a form or otherwise), you will need to indicate how it will be used—sending more information via email, sharing their info with affiliates, etc. This must be listed clearly, and the individual has to give consent to use the data in this manner. MailChimp suggests having separate checkboxes for subscribers to opt in to each element of your marketing outreach (e.g., receiving email, being targeted for online advertising, and so on.)

Some important points to know about data, consent, and GDPR:

  • If your company changes or expands how you will use the data of EU prospects, you will have to get consent again.
  • Even if you are only storing data, your company has to have permission for how it is stored. The same is true of sharing data.
  • Data that is obtained must be appropriately secured, with encryption, and notification of a breach must be made to data processors within 73 hours.

The data you collect and store must be relevant to the purpose
In accumulating prospect data, organizations can only collect information that is relevant and limited to what is necessary for the purpose it was initially obtained. If it’s considered excessive or unnecessary, it could go against GDPR. If, for instance, you run a campaign, data that you collect for it may be able to be used only for that purpose. After the time required to fulfill the initial purpose, you may need to get rid of the data. It is important, therefore, for companies to have data retention policies, identifying when and how long they will hold information.

You will also need to manage consumer requests regarding their data
Businesses will need to show that they can delete prospect data from their systems upon an individual’s request (“right to be forgotten”). They will also need to be able to modify personal data, only use it for certain marketing activities granted by an individual, give individuals access to their data, and be able to transfer the person’s data to another organization upon request.

Potential GDPR Considerations
For all of these reasons, it is important for marketers to assess existing processes through data mapping or other means and initiate new practices that are in compliance with GDPR. Developing policies, procedures, and controls with your legal counsel will be essential. Some actions to take might include:

  • Critically examine all lead generation and email processes to confirm you have lawful basis and/or consent to process contact records
  • Ensure that language (on how data will be used and stored) is clear and that you are using information only for the described intent
  • Make sure that you are using GDPR-friendly forms, pop ups, etc.
  • Examine how you are using cookies and gaining consent from data subjects for using them
  • Review your organization’s privacy statements and practices
  • Make sure you have security procedures in place to safeguard data and written processes in case of a breach
  • Consider using more calls to action, signup forms, and opt-ins with clear language and guidelines on your data policies to get prospects to consent to your using their information in the manner(s) in which you have indicated.
  • Consider ensuring consent with practices like double opt-in for signups to your marketing databases
  • Collect opt-ins for contacts already in your database for which you don’t have specific opt-in records. HubSpot suggests running a one-time permission pass campaign email that requests they confirm their desire to receive emails from you
  • Ensure you can accurately track and segment prospect information in your databases
  • Set up “preference centers” for prospects to be able to update their information and let them control how they want to interact with you
  • Keep accurate records of consent, personal data your organization holds, where it comes from, who it is shared with, etc.
  • Ensure you have processes in place to delete, update, or transfer an individual’s data when requested
  • Examine your marketing tools and how they will implement updates to help you to comply with GDPR
  • Determine individuals at your organization, or consultants, that will lead GDPR, and if you need to hire a data protection officer to help ensure compliance.

Regardless of whether your business has prospects in the EU or not, GDPR is an important reminder that governments and citizens are more concerned about privacy and targeted communications than ever before. Executives and marketers need to be on the forefront of adopting GDPR standards, as privacy standards become increasingly more important.

Information in this article is intended to offer initial feedback on GDPR. Clearpoint Agency is not a legal company and does not offer legal advice. Please check with an attorney regarding GDPR.

By Hilary McCarthy, Director of Public Relations, Clearpoint Agency