A Guide to GDPR Compliance for Marketers: What Is GDPR and How to Avoid Fines
GDP what? That question sums up the main problem American marketers are having with the fast-approaching deadline to comply with the European Union’s privacy regulations. They don’t understand it and many of them don’t even think it applies to them. But starting on May 25, all — every single one — of the European Union’s citizens will be protected by General Data Protection Regulation (GDPR), whether they’re in Europe or not. And whether the businesses they patronize are in Europe or not. So Target Marketing created a guide for marketers on GDPR compliance.
That's why U.S.-based hotels, e-commerce companies and more should be prepared for GDPR. But as of March 14, half to two-thirds of them — and all other brands around the world — are not, says a representative of the Irish government.
“Many don't realize how GDPR is going to apply to them,” says Shane Nolan, SVP of technology, consumer and business services at the Investment Development Agency (IDA) Ireland, an Irish government agency. “The scenarios are like that e-commerce company, where they're not actually marketing in Europe, but they're picking up business from EU customers, and shifting to Europe. They have EU citizen data on their systems. All of GDPR applies to them as a result.”
So what’s an American marketer to do in order be ready by the GDPR effective date, May 25? Here’s a quick GDPR overview, and advice from Nolan and others familiar with the requirements on how to get your brand ready for them.
Not Complying Will Involve Hefty GDPR Fines
Brands that don’t comply by May 25 may receive GDPR fines immediately, says Allen Nance, CMO of the Austrian marketing software provider Emarsys.
So simply ignoring GDPR isn’t an option — unless businesses can afford losing up to 4 percent of their global revenue for the previous year.
Marketers Must Review Their Data for GDPR Discovery
GDPR regulators are going to want to know that the data brands have on private EU citizens came from those consumers opting in to become customers and selected their preferences regarding how they wanted their data to be used. Marketers will need to obtain this consent before using customer data. EU citizens also have a right to be erased from databases.
So lists are a huge caution.
“We marketers don’t own customer data — we borrow it,” Nance says. “Customers trust us with it and expect that we use it to provide them with personalized and relevant content that engages and delivers interesting products they may purchase. But one too many brands have exploited their customers’ data, selling email lists; opting customers in for dozens of email communications; and not providing safeguards for consumers to opt out. Simply put, companies should not be marketing to consumers who haven’t given them their consent.”
The thought leaders Target Marketing contacted suggested marketers find the EU citizens in their files and see if they opted in and if they specified how the brands should use their information. After that, marketers should determine if they shared the data and if the EU citizens opted in for that data sharing.
If it’s not clear where the data came from, where it went, what its permissions are or anything else that violates GDPR, the thought leaders advised marketers to cleanse their files.
“Data can not be passed from one party to another without the patrons’ consent,” advises Cambridge, UK-based managed document solutions firm ASL . “Before you pass on data, ensure that the owner is aware and has given a resounding YES.”
A GDPR Compliance Checklist for Marketers
If your brand hasn’t even started preparing for GDPR, as Nolan says some haven’t, here are some steps you can take to comply.
Here’s a checklist Justhy Deva Prasad, the chief data officer at Swiss-based tech firm Claritysquare, offers to help brands get ready for GDPR requirements:
- Make sure that decision-makers and key people in your organization are aware that the law is changing to GDPR
- Document what personal data you hold, where it came from and who you share it with. Prasad adds: “Know and treat data sensitively while considering data portability and erasure. Under the GDPR, organizations must provide EU residents with the ability to access, correct and erase their data, as well as allow them to move it to another service provider if they so choose.”
- Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation
- Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format
- Update your procedures and plan how you will handle requests to take account of the new rules
- Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it
- Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard
- Start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity (Opens as a PDF)
- Make sure you have the right procedures in place to detect, report and investigate a personal data breach
- Enable “Data Protection by Design” and “Data Protection Impact Assessments.” [As in, create a way for customers to “manage their consent preferences (“privacy by design”) and submit data subject access requests (DSARs),” as IBM did.] (Opens as a PDF)
- Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements
- If your organization operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.
Regarding “privacy by design,” one of GDPR’s most significant new requirements, Prasad says: “Incorporate privacy by design into your culture and DNA. The GDPR requires privacy and data protection controls to be incorporated by design into any new or existing systems or processes that involve EU resident personal data. Ensure that communications and training programs address this as a part of your culture initiatives.”
He adds: “Get good at performing data protection impact assessments (DPIAs). Ensure that DPIAs are an integral part of your existing business and technology processes. The GDPR requires organizations to conduct data protection impact assessments for any new processing or changes to processing deemed to represent a high risk to the privacy and protection of EU resident personal data. This calls for a high level of transparency of both the process, as well as data landscape.”
Also know that any “processing” of EU citizens’ personal data falls under these rules, even if they haven’t bought any products or services from you. Even if you give them something for free.
Referring back to Bullet Point No. 1, brands should begin to train marketers, as well as anyone else in the organization who’s dealing with EU citizens’ personal data, on how to comply with GDPR. It may prevent data breaches or, at the very least, help organizations know sooner when there’s a problem because staffers can identify it faster.
John Timmerman, global industry evangelist with Dayton, Ohio-based marketing data and analytics provider Teradata, says brands can view GDPR as an opportunity to gain customer trust by showing their customers how well you already care for their data, as they’re complying with GDPR’s ongoing assessments, auditing and evaluating.
Prasad also emphasizes that marketers should “step up to a culture of managing data risk in your business. Get control over third-party risk management. Remember, that person-centric data is most valuable to your business anyway. It is the billion-dollar byte. GDPR is now an opportunity to get your act together, even when third parties are managing your data.”
[Author’s note: Target Marketing ran an article about setting up a data privacy structure and, while that structure needs GDPR modification, marketers can extrapolate on the strategy detailed here: “How to Prevent a Customer Data Breach Disaster ... and What to Do When You Fail.”]
Have Mechanisms in Place for GDPR’s Required 72-Hour Data Breach Reporting Window
One key to building the capabilities required by GDPR complaince is to get rid of your brand’s culture of fear. Employees have to feel safe disclosing that there’s been a data breach. If “failure” isn’t tolerated in the organization, it could cost brands millions.
With GDPR, there’s a 72-hour window to disclose data breaches, so smart marketers will realize there’s no time to assign blame.
“It is also worth noting that employees must not feel scared about flagging mistakes,” advises ASL. “Create a culture in the workplace where it is known that mistakes can be easily rectified and not dwelled upon.”
Then, understand specifically what the EU considers a data breach: GDPR describes a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Critics of GDPR have already called its language vague, so Prasad’s advice that the data leader at the brand get to know the supervisory authority early is prescient here.
After marketers know there’s been a data breach, they have 72 hours to disclose it to the authority and to customers.
GDPR requires marketers notifying the supervisory authority of the data breach to:
• Describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
• Describe the likely consequences of the personal data breach;
• Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this article.
So, marketers, now that you can answer the question “What is GDPR?” and you know all about GDPR compliance, what GDPR requirements remain for you to tackle? What will be your biggest ongoing challenge in order to remain in compliance with the law? Please let us know. We’d love to keep this conversation going.