MarTech’s Guide to GDPR — The General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that governs consumers’ private information. It came into full force in May 2018, and it could have a big effect on how businesses all over the globe handle privacy.
The GDPR puts regulatory teeth into longstanding governmental guidance about how EU member states handle personally identifiable information. This level of regulatory overview of personal data is unprecedented and will require companies to ensure the highest levels of privacy protection or suffer dire financial consequences.
We’ve put together this guide to help marketers understand not just what the GDPR is, but also how it is being implemented and enforced, whether or not their companies will be impacted and how to prepare. We’ll continue to keep this guide updated with new information as issues facing non-EU entities arise. Follow all of our GDPR-related news coverage here.
How did these regulations come about, and why should US companies care?
The GDPR is the latest in a series of EU parliamentary measures designed to put the highest levels of protection around personal data. From its charter: “The protection of natural persons in relation to the processing of personal data is a fundamental right.”
Whereas American laws and regulations tend to favor business over the consumer, the EU has always promoted a “consumer-first” point of view, starting with the Organization for Economic Co-operation and Development (OECD) Guidelines (adopted in September 1980), which, in turn, were based on the Protection of Privacy and Transborder Flows of Personal Data, then Directive 95/46/EC — also known as the Data Protection Directive. That guidance was agreed on by the EU member states and the US through a Safe Harbor agreement, then tested through two major legal challenges, resulting in the need for GDPR.
If this sounds like a mouthful, it’s because it is a long-winded way of saying that the EU is aggressive about protecting consumer privacy, and it has been for a long time. Now, it hopes to lead the way globally with a broad, comprehensive law backed by unprecedentedly steep fines of up to 4 percent of a company’s total global revenue — fines that could easily cripple a business that breaches its policies.
So, how does this affect American businesses?
Recognizing that data can travel well beyond the borders of the EU, GDPR provides protection to EU citizens no matter where their data travels. This means that any company, anywhere, that has a database that includes EU citizens is bound by its rules. Businesses of all sizes are affected — from micro to multinational. No one is exempt.
In order to comply, American companies can either block EU users altogether (an impossible choice for a multinational brand) or have processes in place to ensure compliance.
What does the GDPR entail?
Basically, the GDPR protects user data in just about every conceivable way. The GDPR operates with an understanding that data collection and processing provides the basic engine that most businesses run on, but it unapologetically strives to protect that data every step of the way while giving the consumer ultimate control over what happens to it.
In order to be GDPR-compliant, a company must not only handle consumer data carefully but also provide consumers with myriad ways to control, monitor, check and, if desired, delete any information pertaining to them that they want.
Companies that wish to stay in compliance must implement processes (and in many cases, add personnel) to ensure that when data is handled, it remains protected. To comply with this requirement, the GDPR promotes pseudonymization, anonymization and encryption.
Anonymization is the encryption or removal of identifiable information so that it can never be tied back to a user. Pseudonymization is somewhere between identified and anonymous. With pseudonymization, the data components are anonymized and separated but can be put back together. For example, a system might assign a user one identifier for location and another for the browser that can only be tied back to the user if it is put together with their date of birth, which is kept separately. The regulation promotes pseudonymization over anonymization.
According to GDPR, companies must ensure that customers have control over their data by including safeguards to protect their rights. At its core, the protections have to do with processes and communications that are clear and concise and are done with the explicit and affirmative consent of the data subjects.
How do the regulations seek to protect consumers?
Broad jurisdiction. The GDPR applies to all companies that process personal data of EU citizens, regardless of where the EU citizen resides.
Strong penalties. Breaches can cost companies up 20 million euros or up to 4 percent of their annual global turnover. Some infractions are less expensive but still represent a significant penalty.
Simplified and strengthened consent from data subjects. Consent must be given in an easy-to-understand, accessible form, with a clear written purpose for the user to sign off on, and there must be an easy way for the user to reverse consent.
Mandatory breach notification. Any data breach that is likely to “result in a risk for the rights and freedoms of individuals” must be reported within 72 hours of its discovery. Data processors will also be required to notify their customers “without undue delay” after first becoming aware of a data breach.
A reiteration of important consumer rights. This includes the data subject’s right to get copies of their data and information on how it’s being used and the right to be forgotten, also known as Data Erasure. Additionally, it will also allow customers to move their data from one service provider to another.
Better systems. In order to comply with the core foundation of “privacy by design,” the GDPR requires processes to be built with data protection in mind, rather than treated as an afterthought.
Specific protection for children. Since kids are generally more vulnerable and less aware of risks, GDPR includes guidance that includes parental consent for children up to age 16.
[newsletter-form id=’6379′ text=’Stay up to date on GDPR-related and other marketing technology news. Sign up for our newsletter below.’]
Introducing the data protection officer
The GDPR requires companies that process large amounts of data to hire dedicated personnel to manage all aspects of GDPR compliance. The Data Protection Officer (DPO) is expected to be in addition to any current IT or data security personnel working for the company and is the point person for GDPR compliance and liability.
Will this really affect American companies? How will it be enforced?
Whereas the GDPR requires member states to establish supervisory authorities with the power to monitor compliance, the situation is murkier for non-EU countries.
The truth is that no one really knows how the GDPR will be enforced on American soil, and we likely won’t know until we see the first test case. Of course, for multinational companies with divisions in Europe, the supervisory authorities can hold the EU representatives accountable. And the US Commerce Department-created EU-US Privacy Shield framework was implemented specifically to comply with transatlantic data protection requirements. But we won’t know exactly how it will play out until a US company is found non-compliant.
What can a company do to be in compliance?
If you aren’t sure, here are some basic points to consider when developing a plan:
- Integrate your IT and marketing departments. Soon. Between the threat of cybercrime and the necessity for specific monitoring and implementation strategies, your IT department will be your new best friend. Those who use martech technology will now have more reason to invest in and use secure and customized IT solutions to stay on the right side of the regulations — and the right side of consumers’ trust.
- Hire a Data Protection Officer (DPO). The GDPR assigns liability to the data processors and controllers and does not require smaller operations to hire a data officer. But it’s an investment that’s worth some serious consideration. The potential damage to your company’s bottom line is not worth the risk. If nothing else, the GDPR has a singular message: Consumer information deserves to remain private. So anything you can do to stay in compliance will help you overall.
- Complete a thorough audit, or Data Protection Impact Assessment (DPIA), of your current data security system. The best way to ensure compliance is to have an accurate assessment of your current data processes. That way you can identify high-risk areas and fix any potential problem areas before enforcement begins.
- Educate your staff. Although the bulk of the responsibility falls to your security staff, anyone who handles information needs to be educated about the GDPR. This includes staff that interacts with new customers or users, those that maintain CRM systems, and even data entry personnel.
- Use tools that will ensure privacy. Every day there are more and more companies popping up with pseudonymization solutions and other ways to keep compliant. Work with your DPO and your IT department to find the solution that works best for you.
- Work with third-party providers who are GDPR-compliant. This includes your email service provider, your CRM service and your marketing and PR agencies. You can be held responsible for breaches made by processors you work with. It’s important to ensure that all aspects of your data processing are in compliance.