Big news for marketers, regardless of where they’re located: On May 25, 2018, the EU General Data Protection Regulation (GDPR) takes effect. The GDPR is designed to protect the private data of EU citizens while giving them the power to control what happens with their data.
Failure to comply could result in serious penalties. For the most serious grievances, companies can be fined €20 million (about $24.5 million) or 4% of yearly revenue—whichever is higher.
Even if you operate out of the United States, the GDPR could still impact your company, as it covers any entity processing the personal data on anyone living in the European Union. Because of this, simply having a website that collects consumer data could open you up to GDPR regulations.
With so much on the line, it’s crucial marketers all over the world understand the basics of GDPR.
The GDPR will change how many of us operate. The biggest changes will surround consent, data security, and customer access to data.
Under the new GDPR rules, anytime you want to collect or use a customer’s data for a specific purpose, you need consent. If you want to track their behavior on a website, you need consent. If you’d like to email a monthly newsletter, you need consent. If you want to share their data with a subsidiary, you need consent.
While you can receive this consent upfront, your request and explanation should be in simple language so that anyone can understand exactly how the data will be used. Similarly, you can only use it for the purposes you’ve outlined. If you collect an email address for the purpose of your monthly email blast, you can’t hand it off to a subsidiary to use in their email blasts—unless you clearly explain that intention upfront.
In addition, GDPR forbids asking for more than what’s essential for the task you intend to complete. Going back to our newsletter example: If you’re collecting email addresses for a newsletter, you shouldn’t also ask for phone numbers; they’re not needed for email blasts. With this in mind, you should review all content currently on your website. Check the fields you ask customers to complete. Ensure you’re not requesting anything unnecessary for your intended tasks.
As its name suggests, the General Data Protection Regulation wants consumer data to be protected. The GDPR requires that all systems used to store customer data should have protections built right into them; IT departments can’t just put up protections on the outside.
Marketers should work closely with IT to ensure all customer data is secure from tampering. In addition, all marketers should adhere to cyber security best practices.
Similarly, you must keep your databases maintained. If the relationship with a customer is terminated, you should get rid of their data.
Finally, customers must be notified quickly if there’s a data breach. GPDR requires companies to notify customers of data breaches within 72 hours of learning about the breach.
At any time, an EU citizen has the right to know if his or her data is being used, and what it is being used for. If an individual calls in with a question, he or she should be answered within a reasonable timeframe.
Because of this, data must be store efficiently and properly indexed so that a customer’s name can be quickly searched.
EU citizens also have the right to be forgotten. At a customer’s request, his or her data can be permanently erased from your system.