Marketers, advertisers, and public relations professionals are ill-informed and ill-equipped to manage the largest change in data and privacy in the last 20 years: GDPR.
What is GDPR?
GDPR, the General Data Protection Regulation, is an EU regulation which strengthens data protection and privacy for EU citizens and the companies they do business with. GDPR treats the personal data of EU citizens as private property owned by the individual citizen, no different than owning a car or home, and expects companies to treat that data with the same safeguards that they treat their own data.
The short summary of what GDPR constitutes includes:
- Right to be forgotten: EU citizens may request to be forgotten by any entity; for example, an EU citizen could request that Google delete any data it has about them.
- Right to access: EU citizens may request any and all data that a company has stored about them, free of charge.
- Privacy by design: Rather than be an add-on, companies are expected to design their systems for privacy from the ground up. This also includes collecting the minimum required data needed to conduct business operations.
- Data portability: EU citizens will have the right to request data about themselves in a common, machine-readable format and be able to give that data to a different company if they so choose.
- Strengthened consent: Companies doing business with EU citizens will be required to vastly simplify consent requests – no more pages of unintelligible user licenses or tricks designed to mislead consumers into clicking/giving up their personal data.
If you’re not doing business in the EU, you’re probably saying, “None of this applies to me!”. You’d be wrong…
Who does GDPR impact?
GDPR impacts anyone who does business within the borders of the EU or does business with EU citizens, regardless of location. GDPR is an extraterritorial regulation that applies anywhere EU citizens live or work.
Consider the implications of this for a business. Do you screen customers for their citizenship? Almost certainly not, except for certain regulated businesses like healthcare and finance.
Here are a few scenarios in which GDPR might be unexpectedly invoked for a non-EU company:
- An EU citizen on vacation in Australia stops by a coffee shop and buys a coffee. That coffee shop, if it collects data from the EU citizen – like joining the coffee shop’s mailing list – may be subject to GDPR under the goods and services clause.
- An EU citizen studying abroad in America applies for cable TV services in their apartment. The US cable company may be subject to GDPR, and cannot resell or share that citizen’s data, even if they are legally permitted to resell or share US citizens’ data.
- An EU citizen visits a Canadian company’s website and fills out a form for a whitepaper download. The Canadian company’s marketing department as well as all of its analytics vendors may be subject to GDPR and must take steps to protect that citizen’s data, even if they never do business with the EU citizen.
Here’s a quick checklist to see if GDPR applies to you:
- If you collect customer data of any kind that could be personally identifying, such as name, email, IP address, device ID, etc., or you use software that does this on your behalf (Google Analytics, marketing automation, sales CRM), especially within the EU, GDPR applies to you.
- If your digital properties have received any traffic from the EU in the last year, GDPR applies to you.
- If you’ve done business of any kind with an EU citizen, including non-financial transactions (free trial, download, free sample, etc.), GDPR applies to you.
How else will marketing and PR be affected?
GDPR stands to impact advertising companies most of all. Advertising companies – particularly digital advertising – make money by aggregating and targeting audiences using consumer data. Much of the current collected data is out of compliance with GDPR, which means ad companies will need to scrub their databases vigorously to ensure they achieve data compliance. Additionally, many of the data-based targeting options in advertising will either go away or be severely restricted.
For many marketers, proving consent for our existing databases to meet GDPR standards will be difficult. We may end up re-opting-in many of our marketing lists in order to meet the new consent standards; many landing pages and forms will also need to be re-designed.
Public relations will see a temporary boost in importance as many advertising companies and data companies retool. Public relations campaigns make take on more awareness building as advertising rebuilds. However, a tradeoff may be that publications – already under significant financial strain – may fold entirely as ad dollars temporarily dry up, until advertising systems get up to speed.
What are the penalties for noncompliance?
If this sounds like a logistical nightmare, it is. Some companies have logically asked whether just paying fines as a cost of doing business would make more sense than completely retooling their corporate data infrastructure, but paying fines for GDPR is a significantly greater, more expensive path than any legislation before it.
Per violation, companies may be fined up to 4% of their annual revenue or 20 million Euros, whichever is greater.
Additionally, depending on the severity of the violation, company executives could face criminal penalties for noncompliance.
How should companies prepare?
GDPR isn’t a future pending legislative act. It was enacted into law in May 2016, and enforcement penalties begin in May 2018. To prepare, companies should immediately review the legislation with their legal counsel and perform an exhaustive risk assessment. The average GDPR rollout process looks something like this:
- Appoint a Data Protection Officer who can interpret GDPR for your business.
- Consult with your legal counsel about preparedness to address GDPR legal challenges.
- Audit all data collection activities, software, systems, and people in your company. Services like IBM Watson GRC can help accelerate the process.
- Audit all data collection activities, software, systems, and applicable people at your vendors, suppliers, and partners.
- Identify areas where your company is out of compliance.
- Build a remediation plan to achieve compliance.
- Roll out compliance implementation before May 2018.
- Document all steps taken to achieve compliance and certify them with your legal counsel.
All this said, if companies, regardless of location, implement GDPR compliance, they’ll be aligned with current best practices in protecting consumer data and privacy. Even if your legal team says you are exempt from GDPR, adhering to its compliance measures future-proofs you in case you eventually work with EU citizen data, or your country adopts GDPR-like data protection requirements.
Disclaimer: SHIFT Communications is a PR firm, not a law firm. Consult your own legal counsel for advice about implementing GDPR compliance at your company.
Christopher S. Penn
Vice President, Marketing Technology