The compliance deadline for the European General Data Protection Regulation (GDPR), is less than four months away, on May 25, 2018.
GDPR is a privacy regulation that sets a new high bar for how EU customers will expect their data to be treated by companies. While you may think that GDPR doesn’t apply to you as a stateside marketer, a common misconception is that this only applies to companies located in the EU. GDPR is applicable to all businesses that hold and process data collected in the EU, regardless if the company is located outside the EU. The regulation also applies to data already collected. Case in point: If data collected does not meet the GDPR requirements, it cannot be processed.
And it’s not just for the legal or security teams to worry about. One of the GDPR requirements is that companies adopt a privacy by design approach, ensuring that privacy is formally considered when collecting, using or sharing data.
This means that marketers, product managers, and user experience professionals need to understand how GDPR will affect them. We break down the specifics below.
GDPR allows companies to store and process personal data under six conditions with legitimate interest (like fulfilling a contract or service), or individual consent, the former of which is the most common that companies will rely upon.
What is data processing? Examples include using an employee’s data to process payroll, collecting an email address to send marketing emails, setting cookies to engage in online advertising, or serving as a SaaS provider.
Marketers especially will need to work with their legal and IT departments to determine if their existing databases meet the criteria under legitimate interests or they need to rely on consent. Most online identifiers, like advertising ID, cookies, and pixels will fall into the consent bucket.
If relying on consent, there are specific requirements that need to be met. These requirements must also be tracked as evidence.
They include an explicit opt-in without a pre-ticked box that is not a condition of signing up for the service and is separate from the terms; an accurate privacy notice; and an easy-to-understand description of the specific use case broken down by type, (such as advertising/analytics cookies or receiving marketing emails about your company’s latest products).
Additionally, the user needs to be able to easily withdraw consent at any time.
Under GDPR, there is an expanded definition of personal data including online identifiers, trade union memberships, sexual orientation, religious and political preferences, and more.
Companies who want to process personal data that may reveal racial or ethnic origin, political or religious beliefs, trade union memberships, health data or data related to sexual orientation are prohibited unless there is explicit consent or meets one of the other exceptions.
In turn, marketers will need to be very careful about how they collect and process these special categories of data. In some situations, the use of sensitive data will trigger a privacy impact assessment to ensure that it is being properly collected, used, and stored.
Another big change? Companies can no longer collect data with the potential of using it in the future. GDPR mandates that companies can store and process personal data for “no longer than is necessary for the purposes for which the personal data are processed.”
This will likely be a huge departure from what marketers, user experience, and IT teams are accustomed to doing today.
Marketers and product managers working with a new vendor that will collect data will also need to consider GDPR requirements.
For example, a detailed agreement outlining what data is collected, how long it will be stored for, and detailing the specific purposes it can be used for will now be a requirement. IT teams will need to be involved in assessing vendors to ensure they have industry security practices and can meet the data breach requirements.
GDPR also introduces several obligations to controllers (the company that defines how personal data is processed) and processors (the company that processes data on behalf of the controller), including providing the data subject (the customer/employee) the right to be forgotten, the right to port data to another company including a competitor, or the right to object to profiling.
Companies need to consider how they will meet these requirements, both today and in the future, with the introduction of new processes or business partners.
For example, to whom in the company will the request go to and how will it be processed? How will the data subject be authenticated? If it is a right to be forgotten request, a process is needed to determine which data can be deleted and which has to be stored due to legal purposes.
A similar need exists for other obligations such as reporting a data breach within 72 hours. Who will handle that in the company? Are all business partners able to meet that requirement?
Maintaining an incident response plan will help companies meet these obligations. Furthermore, companies will need to require any partners to comply with these requirements, as part of the agreement of terms.
There’s no doubt about it: GDPR will affect marketing practices, website and product design, and even how data privacy and security is handled within a company.
Follow the below steps to prepare your company – and content team – for the new data privacy rules.
Make better content decisions with a system of data + insight.
Your content approach makes or breaks your digital transformation. Learn why intelligent content strategy + engineering are critical to your success.
Your content is integral to your product. You might have piloted content strategy and seen promising results. Now what? It’s time to get more strategic so you can sustain and scale. This whitepaper will help you start.
Does your content work? It's a simple question, but getting a clear answer from content analytics or ROI formulas is often anything but easy. This ebook by Colleen Jones will help you overcome the challenges.