On May 25, the European Union’s GDPR (General Data Protection Regulation) will come into force and change the way businesses like yours collect, store and use customer data. But what is GDPR anyway?
If you're struggling to wrap your head around GDPR, you're not alone. Even though the EU announced GDPR two years ago, studies show only 40 percent of businesses are ready.
The fact is, if your business processes people’s data, you need to know about GDPR.
This blog post talks about what GDPR means for your marketing efforts in plain English. It also covers how to make your digital marketing assets GDPR-friendly. Please note that this content is my interpretation of GDPR — not legal advice.
Fully understanding GDPR is like trying to crack the meaning of life: Everyone has a unique interpretation, and we may never know the truth.
OK, so maybe that's a slight exaggeration. But really, what is GDPR?
The EU's GDPR is a complex data privacy law. It’s confusing because many different (and sometimes conflicting) explanations exist. One blog says this, another says that and unless you’re a lawyer, it’s hard to tell what’s what.
But with penalties of up to 4 percent of a company's annual revenue, you don't want to risk a misstep.
To help clarify what GDPR actually means for your business, here's an explanation of GDPR in five sentences.
GDPR is the EU’s way of cracking down on company data breaches. It provides European Union citizens with eight basic data rights and requires businesses to uphold them. It’s the EU’s first legislative attempt at protecting personal data since 1995.
The new regulation is a complete overhaul of the EU's existing data privacy regulation and it's no joke. Failing to comply could result in hefty fines.
If your business collects, processes or stores EU citizen data, GDPR applies to you. It doesn’t matter where you're headquartered.
Yes. GDPR applies to business around the globe — with one exception.
According to the Forbes Technology Council, Article 3 of the regulation states that GDPR only applies to EU citizens located in the EU. An EU citizen living outside of the EU would not fall under GDPR.
If your website is region restricted so that people in the EU cannot access it, GDPR does not apply to you.
GDPR protects the “personal data” of EU citizens. Personal data is any information used to determine individual identities. A name, address, phone number, IP address or any data related to physical, psychological, genetic, mental, economic, cultural or social identity qualifies.
GDPR guarantees EU citizens eight rights to this type of data.
Here are the eight personal data rights stipulated in the regulation and what they mean for your business:
In addition to respecting the eight citizen rights, GDPR outlines several other standards for businesses.
You will need to ask for permission to collect, store and process EU citizens' data. Before an EU visitor submits their data to your company, you must explain what data you're collecting and how you will use it.
Prior to GDPR, a disclaimer or pre-ticked "opt-in" button qualified as consent. Now, your website visitors must affirmatively "opt-in" to data processing. If they do not affirmatively opt-in, you will not be able to store or use their data.
The new regulation asks you to keep processing records on EU citizen data.
You must record when and how EU citizens consent to data collection, storage and processing. Most marketing and sales CRM tools like HubSpot or Salesforce already have this capability.
GDPR Article 5 frowns upon keeping data "longer than is necessary." The regulation does not specify how long is "necessary," so it's up to you to decide how long you want to keep EU citizen data.
Transparency is important under GDPR. It's emphasized multiple times throughout the regulation. Update your privacy policy to acknowledge the rights held by EU citizens and make it easy for visitors to exercise their rights.
If you transfer personal data to vendors, those third-parties need to be as compliant as you. It's your responsibility to ensure vendors you use can provide guarantees to meet compliance with GDPR.
You likely use tools and SaaS subscriptions that access your customer data. You should ensure those vendors are GDPR compliant. Many of these tools have plugins (sub-vendors) that also need to meet GDPR compliance.
If an EU citizen asks that data be erased, modified, etc., you must work with your vendors to ensure they accommodate the request.
Article 37 of GDPR calls for the designation of a data protection officer (DPO). You may want to appoint someone within your company to oversee customer data protection and security and monitor compliance with the regulation.
In general, small businesses are held to the same standards as large corporations under GDPR with one exception.
Article 30 of the GDPR states that businesses with fewer than 250 employees are exempt from keeping records of personal data processing activities if:
However, because GDPR does not define “occasional," you're probably better off keeping data processing records regardless of your company size.
Prepare your digital marketing assets for GDPR by completing the following action items:
Clearly spell out the type of data you collect from website visitors. Also specify how you use the data.
Provide a way for visitors to exercise their rights under GDPR. We recommend adding links that allow visitors to request that their data be updated, erased, transferred or excluded from direct marketing or processing activities. You can check out an example of a GDPR-friendly privacy policy here.
Add a link to recipients' subscription management settings in the footer of every email. This allows contacts to opt in or out of various communications.
At the bottom of all landing page forms you must ask for consent. Include an opt-in button and a link to your company's GDPR-ready privacy policy.
One of the biggest questions marketers face under GDPR is whether or not the law applies to existing EU citizen data. Do you need to request fresh, GDPR-compliant consent from all EU contacts in your database before May 25?
The answer is not black and white.
The regulation states that if you haven't received consent from a contact in the EU by May 25, you must delete their data from your database and third-party vendors'.
However, GDPR also says that "legitimate interest" qualifies as consent. The question on everyone's mind is, "What is legitimate interest?"
According to award-winning data protection lawyer Suzanne Dibble, it's up to you to decide.
Dibble says that marketing to existing customers without obtaining fresh consent is fine. A recent purchase qualifies as a "legitimate interest" and therefore consent.
However, Dibble also says that sending marketing material to EU citizens you haven't heard from in five years probably won't be considered GDPR compliant. However, sending occasional and highly targeted material to past customers is probably ok.
Ultimately, Dibble's advice is, "Really, put yourself in the customer’s position. Are they going to expect to hear from you or not? If they’re not, then you would need consent if you wanted to start marketing to them."
If you decide to request fresh consent from EU contacts, you must execute a permission pass email campaign before May 25. You won't be able to reach out to anyone who hasn't consented after this date. And you'll have to delete their data for good.
If you're a U.S.-based business, the first thing to do is to segment your database by IP address. From there, you can determine which customers fall under "legitimate interest" and which you'll need to obtain fresh consent from.
Once you have your final list, execute a permission pass campaign. Be sure to use clear, concise language in the email. Explain what data you're requesting consent for and how the data will be used — you must be granular. Make it easy for recipients to provide consent with the click of a button.
If a contact replies with consent — great! You can keep using their data for all purposes stated in the permission pass email. If a contact does not provide consent, or if you do not hear from them before May 25, you must remove them from your database and third-party vendors'.
Permission pass campaigns significantly reduce the amount of contacts in your database. If you choose to run one in preparation for GDPR, be ready to lose a large portion of contacts.
Google Analytics changed their user data retention setting options in an effort to comply with GDPR's clause about not keeping data for "longer than is necessary."
Going forward, Google Analytics will automatically delete website user data once the termination time frame is up. More importantly, they recently reset your default termination time frame to 50 months — along with all other Google Analytics users'.
Your website user data will be deleted 50 months after the user visits your site unless you go into your Google Analytics settings and select a different time frame.
You can select any one of the following time frame options:
While Google recommends the 50-month time frame, it is up to you to determine how long is "longer than necessary."
There are two levels of fines for failing to comply with GDPR: two percent of your global annual for minor offences and four percent for violations that seriously infringe on citizen privacy rights.
Now that you've made it through this entire post, instead of wondering, "What is GDPR?" use the action items listed here to prepare your digital marketing assets for the big dance on May 25!
Remember: while it might not seem like it now, the purpose of GDPR is to protect personal data and guard against breaches.
Want to learn more about how we're preparing our clients for GDPR? Let's chat!