The European Union’s (EU) General Data Protection Regulation (GDPR) law is one of the most wide-ranging and comprehensive pieces of legislation regarding sensitive consumer data ever enacted — and it’s about to go into effect. When that happens, on May 25, it will change the way consumer data is protected, not just in Europe, but worldwide.
Under GDPR, information such as customer IP addresses and even web cookies will be subject to the same strict security standards as physical addresses and social security numbers.
Even if you’re not based in Europe, if you do business there or gather any personally identifiable information (PII) from EU citizens via your website, you will be subject to GDPR regulations.
The penalties for GDPR violations will be significant. Fines up to €20 million (approximately $25 million) or 4 percent of global yearly turnover will be levied against companies found to have inadequately safeguarded data under the terms of the legislation.
Those hefty fines and the complexity of the legislation itself have led to some confusion among business owners here in the United States as they try to understand the impact of the EU changes on their marketing strategy — particularly in matters sited outside of Europe. Many owners are unsure of how best to comply with GDPR at minimum expense. According to a survey by RealWire, only 16 percent of companies surveyed in the Americas said they believed they must comply with GDPR — a percentage far less than the number of companies actually subject to the legislation.
With GDPR’s start date quickly approaching, here are some actionable steps you can take to ensure that your business is compliant.
1. Appoint a data protection officer.
Designate one person in your organization as your data protection officer (DPO). This individual, at a minimum, should be familiar with the GDPR and what your business is doing to comply. The DPO will be responsible for dealing with regulatory agencies as well as members of the public with requests related to use of their identifying information (PII).
2. Perform a data audit.
One of the most crucial things your business can do to ensure compliance is to perform a thorough data audit. Start by asking these questions:
What PII does your company currently use and retain?
Is that PII necessary for your business? If not, delete it. The less PII you retain, the less chance of a breach.
Do you have documentation to show that your customers consented to the use of this information?
Do any third-party data processors or controllers have access to PII to perform services at your request? If so, are these vendors also GDPR compliant? Many reputable third-party data controllers have made information on their journey toward GDPR compliance available to customers.
3. Get unambiguous consent.
The GDPR substantially raises the bar for what is considered consent to the use of PII. Consent must be affirmed by “a statement or a clear affirmative action” such as a customer checking a box when visiting a website, according to the legislation. The GDPR explicitly does not regard silence, pre-checked boxes or inactivity as constituting consent. What data is being retained and how it will be used must be explained in a manner easily understood by consumers, and it must be as painless for consumers to withdraw consent as to give it.
Of course, marketers will want to know: What about my existing customer data? Unfortunately, consent can’t just be grandfathered in. Most businesses will have to get new permission consent from their customers, according to BlueSheep. For example, a data audit by W8 Data estimated that 75 percent of existing customer data in the U.K. would be rendered obsolete by the GDPR.
Take this opportunity, then, to engage with your readers and explain the benefits of continuing to receive communications from your business. Let them know how consenting to the use of PPI will result in tangible benefits, such as personalized offers and product recommendations. Ask them to update their marketing preferences in a way that gives you as much leeway as possible to use their PPI for marketing purposes in future.
4. The right to be forgotten
This is one of the most powerful customer rights the GDPR confers. In theory, this enables EU citizens to erase the digital footprint they have left over time. The data protection officer must take measures to erase PII or all of a user’s past data upon request; so it is critical that your storage and processing protocols be enabled to make this feasible.
5. Consider Cold emailing effectively dead.
GDPR effectively renders “cold” emailing dead in the EU. In order to legally send a marketing email to an EU citizen, you need documented proof that he or she consented to receive it.
Alternately, you’ll need to get creative and examine the utility of other platforms for marketing. LinkedIn, for example, is a potential gold mine for marketers. Being a member of the platform means you’ve given consent to connect with other users, leaving the door wide open for companies to reach fellow LinkedIn members with marketing initiatives.
6. Prepare for a breach.
Be prepared. If the worst happens and you experience a breach of sensitive data, the appropriate supervisory authority must be notified of any breach within 72 hours of discovery. With few exceptions, it is also your responsibility to notify data subjects of any breach that could put the “rights and freedoms of individuals” at risk.
While some businesses like the SQL consultant, Brent Ozar, are abandoning marketing in the EU altogether due to GDPR, it’s not ideal to close yourself off from the more than 500 million inhabitants available to market to in the EU.
Proactive adoption of stringent practices to safeguard sensitive customer data can help defend against costly breaches like that suffered by credit bureau Equifax, which exposed over 143 million Americans to the loss of sensitive PII, as reported by the Federal Trade Commission.
Take the opportunity to reach out to your customers, both to update their marketing preferences and to obtain GDPR-compliant consent. If they end up unsubscribing or failing to consent to the use of their PII, perhaps they were not a good fit for your marketing efforts anyway.
And, above all, see the positive side of GDPR compliance: Showing customers that you take data protection seriously is good for business, particularly if your competitors aren’t doing the same. Whatever approach you take, communicate clearly and openly with your clients.