What Do the New Data Privacy Rules in Europe Mean for Marketers?

The compliance deadline for the European General Data Protection Regulation (GDPR), is less than four months away, on May 25, 2018.

GDPR is a privacy regulation that sets a new high bar for how EU customers will expect their data to be treated by companies. While you may think that GDPR doesn’t apply to you as a stateside marketer, a common misconception is that this only applies to companies located in the EU. GDPR is applicable to all businesses that hold and process data collected in the EU, regardless if the company is located outside the EU.  The regulation also applies to data already collected. Case in point: If data collected does not meet the GDPR requirements, it cannot be processed.

And it’s not just for the legal or security teams to worry about.  One of the GDPR requirements is that companies adopt a privacy by design approach, ensuring that privacy is formally considered when collecting, using or sharing data.

This means that marketers, product managers, and user experience professionals need to understand how GDPR will affect them. We break down the specifics below.

What Data Can I Use?

GDPR allows companies to store and process personal data under six conditions with legitimate interest (like fulfilling a contract or service), or individual consent, the former of which is the most common that companies will rely upon.

What is data processing? Examples include using an employee’s data to process payroll, collecting an email address to send marketing emails, setting cookies to engage in online advertising, or serving as a SaaS provider.  

Marketers especially will need to work with their legal and IT departments to determine if their existing databases meet the criteria under legitimate interests or they need to rely on consent.  Most online identifiers, like advertising ID, cookies, and pixels will fall into the consent bucket.  

Consent Requirements

If relying on consent, there are specific requirements that need to be met. These requirements must also be tracked as evidence.

They include an explicit opt-in without a pre-ticked box that is not a condition of signing up for the service and is separate from the terms; an accurate privacy notice; and an easy-to-understand description of the specific use case broken down by type, (such as advertising/analytics cookies or receiving marketing emails about your company’s latest products).

Additionally, the user needs to be able to easily withdraw consent at any time.   

Personal Data Defined

Under GDPR, there is an expanded definition of personal data including online identifiers, trade union memberships, sexual orientation, religious and political preferences, and more.  

Companies who want to process personal data that may reveal racial or ethnic origin, political or religious beliefs, trade union memberships, health data or data related to sexual orientation are prohibited unless there is explicit consent or meets one of the other exceptions.  

In turn, marketers will need to be very careful about how they collect and process these special categories of data. In some situations, the use of sensitive data will trigger a privacy impact assessment to ensure that it is being properly collected, used, and stored.

Another big change? Companies can no longer collect data with the potential of using it in the future. GDPR mandates that companies can store and process personal data for “no longer than is necessary for the purposes for which the personal data are processed.”

This will likely be a huge departure from what marketers, user experience, and IT teams are accustomed to doing today.

Vendor Considerations

Marketers and product managers working with a new vendor that will collect data will also need to consider GDPR requirements.

For example, a detailed agreement outlining what data is collected, how long it will be stored for, and detailing the specific purposes it can be used for will now be a requirement. IT teams will need to be involved in assessing vendors to ensure they have industry security practices and can meet the data breach requirements.

Individual Rights and Data Breach

GDPR also introduces several obligations to controllers (the company that defines how personal data is processed) and processors (the company that processes data on behalf of the controller),  including providing the data subject (the customer/employee) the right to be forgotten, the right to port data to another company including a competitor, or the right to object to profiling.  

Companies need to consider how they will meet these requirements, both today and in the future, with the introduction of new processes or business partners.

For example, to whom in the company will the request go to and how will it be processed? How will the data subject be authenticated? If it is a right to be forgotten request, a process is needed to determine which data can be deleted and which has to be stored due to legal purposes.

A similar need exists for other obligations such as reporting a data breach within 72 hours. Who will handle that in the company? Are all business partners able to meet that requirement?

Maintaining an incident response plan will help companies meet these obligations. Furthermore, companies will need to require any partners to comply with these requirements, as part of the agreement of terms.

How Can Marketers Prepare for GDPR?

There’s no doubt about it: GDPR will affect marketing practices, website and product design, and even how data privacy and security is handled within a company.

Follow the below steps to prepare your company – and content team – for the new data privacy rules.   

1. Identify a GDPR lead in the company
2. Document what data is collected, where it is stored (including vendors), how it is being used and under which mechanism, as well as if it’s compliant under the new regulation. Determine what privacy notice and to whom it is shared. Are any updates required?
3. Review your marketing practices and determine if legitimate interests can be used or what consent measures need to be updated. Some questions to consider:
   1. Do you need to do a re-permissioning campaign?
   2. Do prospecting practices need to be changed?
   3. Do you have a proper consent tool on the website?
4. Ensure that you and your processors are prepared for the 72-hour data breach notification requirement.
5. Create processes to handle the individual rights requirements.
6. Create privacy governance processes to manage legitimate interest, consent, and the overall data flow.
7. Train employees on these new requirements and processes.