On May 25, the European Union’s GDPR (General Data Protection Regulation) will come into force and change the way businesses like yours collect, store and use customer data. But what is GDPR anyway?
If you're struggling to wrap your head around GDPR, you're not alone. Even though the EU announced GDPR two years ago, studies show only 40 percent of businesses are ready.
The fact is, if your business processes people’s data, you need to know about GDPR.
This blog post talks about what GDPR means for your marketing efforts in plain English. It also covers how to make your digital marketing assets GDPR-friendly. Please note that this content is my interpretation of GDPR — not legal advice.
Table of Contents
- What Is GDPR?
- The 8 GDPR Data Rights and What They Mean for Your Business
- The Responsibilities of Businesses Under GDPR
- GDPR For Small Business: Are There Any Exceptions?
- How to Prepare Your Digital Marketing Assets for GDPR
- Consequences of Non-Compliance
- Final Words of Advice
What Is GDPR?
Fully understanding GDPR is like trying to crack the meaning of life: Everyone has a unique interpretation, and we may never know the truth.
OK, so maybe that's a slight exaggeration. But really, what is GDPR?
The EU's GDPR is a complex data privacy law. It’s confusing because many different (and sometimes conflicting) explanations exist. One blog says this, another says that and unless you’re a lawyer, it’s hard to tell what’s what.
But with penalties of up to 4 percent of a company's annual revenue, you don't want to risk a misstep.
To help clarify what GDPR actually means for your business, here's an explanation of GDPR in five sentences.
GDPR in 5 Sentences
GDPR is the EU’s way of cracking down on company data breaches. It provides European Union citizens with eight basic data rights and requires businesses to uphold them. It’s the EU’s first legislative attempt at protecting personal data since 1995.
The new regulation is a complete overhaul of the EU's existing data privacy regulation and it's no joke. Failing to comply could result in hefty fines.
Who Should Comply With GDPR?
If your business collects, processes or stores EU citizen data, GDPR applies to you. It doesn’t matter where you're headquartered.
Does GDPR Apply to Everyone?
Yes. GDPR applies to business around the globe — with one exception.
According to the Forbes Technology Council, Article 3 of the regulation states that GDPR only applies to EU citizens located in the EU. An EU citizen living outside of the EU would not fall under GDPR.
If your website is region restricted so that people in the EU cannot access it, GDPR does not apply to you.
What Kind of Data Does GDPR Protect?
GDPR protects the “personal data” of EU citizens. Personal data is any information used to determine individual identities. A name, address, phone number, IP address or any data related to physical, psychological, genetic, mental, economic, cultural or social identity qualifies.
GDPR guarantees EU citizens eight rights to this type of data.
The 8 GDPR Data Rights and What They Mean For Your Business
Here are the eight personal data rights stipulated in the regulation and what they mean for your business:
- Right to Access Personal Data: Under GDPR EU citizens have complete access to any personal data held by your company. You must be able to provide this data upon request, free of charge and in a common file format.
- Right to the Informed Consent of Data Collection: EU citizens must give consent for your company to collect, store or use their personal data in any way. As a business, you must tell citizens exactly what data you’re collecting and what it will be used for.
- Right to the Portability of Data: At any time, EU citizens have the right to request that their personal data be copied or transferred to another company.
- Right to the Erasure of Data: Also known as the “right to be forgotten,” under this freedom EU citizens can request the removal of their data from your company and third-party databases. You are responsible for erasing personal data from your database and requesting that it be erased from your vendors'.
- Right to Have Information Corrected: EU citizens also have the right to request the correction of data. You must respond to requests within one month.
- Right to Restrict the Processing of Data: Under GDPR EU citizens can limit how your company uses their data. This means that if someone wants you to store their data for transaction history purposes but not use it for marketing, you must do so.
- Right to Object to the Processing of Data for Direct Marketing: EU citizens may request that your company not use their data for direct marketing. You won't be able to send them emails or use their data for profiling.
- Right to Be Notified of a Data Breach Within 72 Hours: If your company experiences a data breach, under GDPR you must notify EU citizens within 72 hours of becoming aware of the breach.
Responsibilities of Businesses Under GDPR
In addition to respecting the eight citizen rights, GDPR outlines several other standards for businesses.
Get Consent Before You Collect Personal Data
You will need to ask for permission to collect, store and process EU citizens' data. Before an EU visitor submits their data to your company, you must explain what data you're collecting and how you will use it.
Prior to GDPR, a disclaimer or pre-ticked "opt-in" button qualified as consent. Now, your website visitors must affirmatively "opt-in" to data processing. If they do not affirmatively opt-in, you will not be able to store or use their data.
Keep a Record of Your Personal Data Processing Activities
The new regulation asks you to keep processing records on EU citizen data.
You must record when and how EU citizens consent to data collection, storage and processing. Most marketing and sales CRM tools like HubSpot or Salesforce already have this capability.
Eliminate Excess Personal Data
GDPR Article 5 frowns upon keeping data "longer than is necessary." The regulation does not specify how long is "necessary," so it's up to you to decide how long you want to keep EU citizen data.
Adjust Your Privacy Statements and Disclosures
Manage Third-Party Vendor Compliance
If you transfer personal data to vendors, those third-parties need to be as compliant as you. It's your responsibility to ensure vendors you use can provide guarantees to meet compliance with GDPR.
You likely use tools and SaaS subscriptions that access your customer data. You should ensure those vendors are GDPR compliant. Many of these tools have plugins (sub-vendors) that also need to meet GDPR compliance.
If an EU citizen asks that data be erased, modified, etc., you must work with your vendors to ensure they accommodate the request.
Appoint a Data Protection Officer
Article 37 of GDPR calls for the designation of a data protection officer (DPO). You may want to appoint someone within your company to oversee customer data protection and security and monitor compliance with the regulation.
GDPR for Small Business: Are There Any Exceptions?
In general, small businesses are held to the same standards as large corporations under GDPR with one exception.
Article 30 of the GDPR states that businesses with fewer than 250 employees are exempt from keeping records of personal data processing activities if:
- Processing of data would not result in risk to rights and freedoms of data subjects
- Personal data processing is occasional
- The business does not process unique articles of data that includes a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health-related data, data concerning sex life or sexual orientation or data relating to criminal convictions and offenses.
However, because GDPR does not define “occasional," you're probably better off keeping data processing records regardless of your company size.
How to Prepare Your Digital Marketing Assets for GDPR
Prepare your digital marketing assets for GDPR by completing the following action items:
Clearly spell out the type of data you collect from website visitors. Also specify how you use the data.
Adjust Your Email Communications
Add a link to recipients' subscription management settings in the footer of every email. This allows contacts to opt in or out of various communications.
Ask for Consent on All Landing Page Forms
Request Fresh Consent From Your Existing EU Contacts If Needed
One of the biggest questions marketers face under GDPR is whether or not the law applies to existing EU citizen data. Do you need to request fresh, GDPR-compliant consent from all EU contacts in your database before May 25?
The answer is not black and white.
Understanding Fresh Consent and Legitimate Interest
The regulation states that if you haven't received consent from a contact in the EU by May 25, you must delete their data from your database and third-party vendors'.
However, GDPR also says that "legitimate interest" qualifies as consent. The question on everyone's mind is, "What is legitimate interest?"
According to award-winning data protection lawyer Suzanne Dibble, it's up to you to decide.
Dibble says that marketing to existing customers without obtaining fresh consent is fine. A recent purchase qualifies as a "legitimate interest" and therefore consent.
However, Dibble also says that sending marketing material to EU citizens you haven't heard from in five years probably won't be considered GDPR compliant. However, sending occasional and highly targeted material to past customers is probably ok.
Ultimately, Dibble's advice is, "Really, put yourself in the customer’s position. Are they going to expect to hear from you or not? If they’re not, then you would need consent if you wanted to start marketing to them."
How to Run a Permission Pass Email Campaign to Request Fresh Consent
If you decide to request fresh consent from EU contacts, you must execute a permission pass email campaign before May 25. You won't be able to reach out to anyone who hasn't consented after this date. And you'll have to delete their data for good.
If you're a U.S.-based business, the first thing to do is to segment your database by IP address. From there, you can determine which customers fall under "legitimate interest" and which you'll need to obtain fresh consent from.
Once you have your final list, execute a permission pass campaign. Be sure to use clear, concise language in the email. Explain what data you're requesting consent for and how the data will be used — you must be granular. Make it easy for recipients to provide consent with the click of a button.
If a contact replies with consent — great! You can keep using their data for all purposes stated in the permission pass email. If a contact does not provide consent, or if you do not hear from them before May 25, you must remove them from your database and third-party vendors'.
Permission pass campaigns significantly reduce the amount of contacts in your database. If you choose to run one in preparation for GDPR, be ready to lose a large portion of contacts.
Change Your Google Analytics Settings
Google Analytics changed their user data retention setting options in an effort to comply with GDPR's clause about not keeping data for "longer than is necessary."
Going forward, Google Analytics will automatically delete website user data once the termination time frame is up. More importantly, they recently reset your default termination time frame to 50 months — along with all other Google Analytics users'.
Your website user data will be deleted 50 months after the user visits your site unless you go into your Google Analytics settings and select a different time frame.
You can select any one of the following time frame options:
- 14 months
- 26 months
- 38 months
- 50 months
- Does not expires
While Google recommends the 50-month time frame, it is up to you to determine how long is "longer than necessary."
Consequences of Non-Compliance
There are two levels of fines for failing to comply with GDPR: two percent of your global annual for minor offences and four percent for violations that seriously infringe on citizen privacy rights.
Final Words of Advice
Now that you've made it through this entire post, instead of wondering, "What is GDPR?" use the action items listed here to prepare your digital marketing assets for the big dance on May 25!
Remember: while it might not seem like it now, the purpose of GDPR is to protect personal data and guard against breaches.
Want to learn more about how we're preparing our clients for GDPR? Let's chat!