Apologies in advance that this post is so long. There is a lot of information to cover…
GDPR is THE hot topic for many businesses right now—what is it? How will it impact US based marketers? And how can we prepare?
GDPR is the acronym for General Data Protection Regulation, the sweeping new privacy laws impacting companies that collect and use personal data from people residing in the EU. Customer privacy is the main reason these new regulations were created. They will impact the way that companies collect, use, and update data on current and new customers.
These new laws go into effect 25 May 2018 –Less than three months away!
The penalties for not complying are stiff– the greater of €20 million or 4% gross revenues. That’s why it’s so critical to have an organizational plan for dealing with customers from the 27 states of the EU.
I have attended two webinars, talked to people, and done a lot of online research about GDPR in recent weeks to learn more about these new regulations. The legislation is long, wordy, complicated, and a little unclear with direction for exact requirements to avoid problems. Very convenient. The key to success will be to have an organizational plan for how to deal with these changes.
There are a plethora of checklists online that your organization can use to better understand GDPR and implement a compliance plan. I’ve synthesized a couple of them here into six key steps:
- Understand the law—the new regulations were basically created to ensure user privacy. There’s no differentiation between business and personal use. Both the companies collect the data and send out messages hold some responsibility for the data usage.
- Know which data is regulated—
- Basic contact information (ie. Name, mailing address, etc)
- Web data such as location and IP address
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Sexual orientation
We are accountable for the data we hold
- Why are we collecting certain data points?
- How did we get the data?
- How long will we retain the data?
- How secure is the data?
- Do we ever share this with a third party? How are their procedures?
Other privacy issues that the consumer have include the
- Right to be forgotten
- Right to opt out at ANY time
- Right to review why/how data was collected
- Right to access data
- Right to data portability, meaning take it with them if they move/change jobs/etc
- Review current data collection, storage procedures, privacy policies.
- Update current EU customers on your database, forms, and privacy policies.
- Run a gap analysis on website/data collection flow and implement additional changes as needed. In addition, educate other departments about the new rules.
- Reevaluate and revise as needed.
Other terms and changes we need to be aware of:
- The GDPR considers three types of roles within organizations:
- Controller—who determines the purpose and means of data collections (the “how” and “why”)
- Processor—who processes the data on behalf of the controller.
- There will be cases where publishers can be both a controller and a processor, in the case where we send out an email for a client.
- Appoint a data protection officer (DPO), to oversee and manage GDPR program. Technically only certain organizations need a DPO, but pretty much everything I’ve heard says that for good business practices most organizations will appoint a DPO.
- Prepare for data breach. Any data breach should be reported within 72 hours. The webinars I listened to say that’s almost impossible– but that’s the guideline. An interesting fact that that I heard is that 75% of data breaches are caused by internal personnel. So any staff that sends out emails needs to be educated on the new laws.
Part 2 of this post will offer some steps to properly vet current names on your database and update your websites. It is now posted and can now be found here.
One of my favorite more detailed checklists online can be found here.
DISCLAIMER THAT I am not an attorney so this should for sure not to be construed as legal advice. This post is MY interpretation of what I have learned about GDPR so far, as a marketer who tries to stay on top of audience development and marketing issues. Any legal instructions should come from an attorney with knowledge of GDPR regulations.
The journey continues. Cindy