Do you know about GDPR compliance? Are you ready for it?
Those are two very important questions that you should be able to answer if you’re doing any digital marketing to a European audience. That’s because GDPR goes into effect on May 25, 2018.
Here’s what you need to know about it.
Note: the new regulation will affect your business even if it’s not located within the European Union (EU).
What Is GDPR?
GDPR stands for General Data Protection Regulation. It’s a replacement of the 1995 Data Protection Directive.
Its purpose is to protect the privacy of consumers who conduct business online. You can think of it as a bill of rights for e-shoppers.
Under GDPR, businesses can’t process customer data unless it’s for a lawful purpose or those businesses have received explicit instructions from the customer to do so.
And what constitutes a “lawful purpose” for processing customer data? That’s identified in the regulation:
- The person has engaged in a legal contract with the company
- The data processing is necessary to fulfill a legal obligation
- The data processing is necessary to protect somebody else’s information
- The data processing is necessary to carry out a task that’s in the public’s interest
- The data processing is necessary to pursue “legitimate interests” by a controller or third party
So your first takeaway should be this: GDPR is designed to help customers, not businesses.
In fact, businesses are still scrambling at this 11th hour to make sure that they’re compliant when the regulation goes into effect later this week.
Why? Because GDPR requires companies to collect and process data keeps personally identifiable information (PII) secure. That’s a tall order for businesses that haven’t been dotting their cryptographic i’s and crossing their tokenization t’s.
They had better get that sorted out very quickly, though. Penalties for GDPR violations are stiff.
Companies can get fined up to 4% of global sales. That could cost billions of dollars for larger corporations.
For smaller companies, the fine can get as high as $23 million.
So if you’re not sure that your business is compliant, you might want to read on.
Is Your Business Affected?
Probably.
It’s a global economy. Even if you’re based in the United States or outside of the EU, you’re probably doing business with Europeans.
In that case, GDPR will affect your business.
Also, if your company supports businesses that are based in the EU, then it’s affected. For example, call centers that handle customer service inquiries for businesses located in Europe will need to follow GDPR rules.
Unfortunately, the cost of complying with the regulation isn’t cheap. According to one study, businesses are spending $8 billion worldwide to avoid running afoul of GDPR.
Your business will most likely need to make some kind of investment as well.
“Opt-In” Is Now Mandatory
Your new best friend is summed up in two words: “opt-in.”
You’ve probably heard those words before. They’re popular in discussions about email marketing.
If you want to stay compliant with GDPR, you should apply them to all your data processing tasks.
According to the regulation, permission to use a person’s data must be “freely given, specific, informed, and unambiguous.”
There aren’t too many other adjectives the regulators could have included to make it abundantly clear that you must have permission before you use people’s data.
Don’t automatically add someone’s email to your distribution list. Don’t send text messages just because you have the person’s phone number.
Get permission for everything. You can do that with a simple checkbox that reads: “I give permission to receive text messages from the company” or words to that effect.
By the way, it’s probably a great idea to go the extra mile here. Once again, let email marketing best-practices be your guide.
You’ve probably seen a process where a visitor opts into an email list on a website. Then, that visitor receives an email asking for verification about the opt-in.
That’s called a double opt-in and it’s a great idea for you to put it into practice as much as possible.
Here’s an important point about securing permission: make sure you have an audit trail that demonstrates you got consent.
It’s not likely the powers-that-be that enforce GDPR compliance will assume that you’re innocent until proven guilty when it comes to getting permission for data use. They will want to see evidence that you got permission before using anyone’s information.
Make sure you can provide that evidence on a moment’s notice.
One final point here: opt-in also means opt out. Make it abundantly clear how people can choose to no longer receive your emails, text messages, or phone calls.
GDPR Compliance: Use Cookies Only With Consent
You can’t even use cookies without consent from European visitors. Take a look at Recital 30 of the GDPR:
Natural persons may be associated with online identifiers… such as internet protocol addresses, cookie identifiers or other identifiers… This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
If you’re not familiar with cookies, then your website probably isn’t using them. They’re digital footprints that some sites place in a user’s browser.
If your website is using cookies, you need to get permission from European customers before you add them to their browsers.
Why? Because as the Recital above states, cookies can be used to identify people. Therefore, they’re PII.
Usually, GDPR-compliant sites use a small popup that appears at the bottom of the screen to ask visitors for permission to use cookies. You’ll need to do that or stop using cookies completely.
Full Disclosures
It’s not only important that you get permission when processing people’s data, it’s also imperative that you fully disclose what you’re going to do with that information.
Are you going to share it with third parties? Are you going to use it for marketing research?
Tell them.
In fact, you should tell them in very plain language. Yes, that’s part of GDPR compliance.
Use clear, concise language to tell your customers how you plan on using their data. Answer all the important questions: who, when, where, why, what, and how.
This is where it’s better to give away too much info than not enough. You might lose some opt-ins, but that beats getting fined by European regulators.
Keep in mind, though, there’s a benefit to sharing that kind of detail. Your customers will appreciate the transparency, even if it’s mandated.
That builds good will.
Forget About ‘Em
Under GDPR, consumers have the right to be forgotten.
That’s not a typo. Customers can request that you remove their data from your database.
And you must comply.
So ask yourself this question: do you have a process in place to anonymize the records of specific customers? If not, then you’d better get one quickly if you plan on doing any business in Europe.
Alternately, you could also delete those records. That might be the easiest way to stay compliant. Going through all records and just eliminating PII is a bit more involved.
Whatever solution you come up with, it has to be permanent. In other words, you can’t delete a customer’s record and then have it show up again later from a backup.
GDPR Compliance: Be Accessible
For GDPR compliance, you’ll also need to give customers the ability to access and modify their PII.
That doesn’t necessarily mean that you provide a web-based user interface so that people can change their name or address (although that’s a great idea). But you should make it obvious who they can contact to have their info altered.
Trim the Fat
GDPR also mandates that you store only that customer data which is absolutely necessary.
If you’re storing additional data that’s a “nice to have,” you’ll need to do one of three things with it: encrypt it, remove it, or anonymize it.
Fess Up
Have you ever read a news report about a company that went through a data breach and didn’t announce it until months after the fact? Did that make you mad?
That kind of story makes a lot of people mad. That’s why GDPR requires you to alert the Information Commissioner’s Office (ICO) within 72 hours if you find evidence that customer data has been compromised.
Sure, it’s a public relations nightmare when that happens. But it’s better to suffer the PR backlash than deal with hefty fines.
What About Legitimate Interest?
As we’ve seen, you’re allowed to process a user’s data if there’s a “legitimate interest” involved.
What does that mean? It means talk to your attorney.
Seriously, it’s an ambiguous provision within GDPR. If you’re looking to stay compliant while exploiting that loophole, you need to make sure that your legal ducks are in a row. Otherwise, you could find yourself in quite a bit of trouble.
Even if you do manage to conduct a “legitimate interest” campaign, you still need to make sure that the people you target can opt out. If they ask you to forget about them, you also need to honor that request.
GDPR Compliance: You Might Need a DPO
Get ready to run an ad on Monster. You might have to hire a data protection officer (DPO).
That’s an individual who will make sure that your organization maintains GDPR compliance. You’re going to spend some money on that kind of talent, but it’s the cost of doing business these days.
The good news is that you might not need a DPO. According to GDPR, you only need a DPO if:
- Your business is a public authority
- Your business monitors individuals systematically and on a large scale as part of core operations
- Your business processes special categories of personal data on a large scale
If you’re not sure about any of that, contact an attorney.
Even if you don’t need a DPO, it might be a good idea to have one on staff anyway. They can save you a fortune in fines if they uncover GDPR violations.
Keep Customers in the Loop
Once you’ve determined what kinds of actions you need to take to stay GDPR compliant, you should let your customers know what’s going on. Keep them informed.
Post a message on your website explaining all the changes that your company is making to ensure that customer information stays secure. Also, let them know about your new opt-in processes and how they can update their data or request that it be removed.
You’ll not only stay within the confines of GDPR when you do that, but you’ll also give your customers a little peace of mind.
Wrapping It Up
As of this writing, GDPR goes into effect in just four days. Are you ready?
If not, now’s the time to get an action plan in place. Follow the guidelines above, get legal advice about specifics, and let your customers know what’s going on.
That’s how you’ll stay out of trouble.