General Data Protection Regulation (GDPR) is coming. Only another month until it’s officially in place; do you understand it enough to stay compliant?
It’s no secret that the GDPR is raising some very significant and important conversations across the United States right now, especially in the realm of marketing. While it will mostly impact the European Union (EU) experts are predicting the GDPR will spark mass changes in digital marketing all across the world.
What is the GDPR?
Essentially, the GDPR demands that online businesses must take active steps to protect privacy and submitted data from visitors in the EU. While it is meant to be specific only to EU residents, most marketing experts agree that businesses from other nations are likely to follow suit with similar policies (more on that later in the article).
Unlike general privacy policies, the GDPR is fairly broad and wide-ranging in what it considers “personal identification information.” It includes not only name, address, social security numbers, and credit card numbers, but also IP addresses, cookies, and saved site information that directly relates to each customer (including shopping histories or search histories).
Why the GDPR Won’t Only Impact EU Markets
Companies within the EU and those serving the EU markets will obviously be impacted the most by these new privacy laws. But it isn’t just the EU market that will feel the sting – why is this?
As a result, many of these multinational digital marketers and online entities will default to a single, EU-specific policy that gets applied across the board.
How Far-Reaching is the GDPR for Digital Marketers?
The other issue is the misconception that just because you operate outside of the EU or don’t serve an EU market, you don’t need to be compliant. This is patently false. Compliance also applies to anyone interacting with the EU market in any way at all, including:
- Entities with EU-based servers
- Entities using EU-based third-party processors/publishers
- Entities with EU-based offices (online or offline)
- Entities visited by EU residents (even if not the target audience)
- Entities using EU-based CDNs or data storage networks
The last point is especially important for digital marketers who outsource services. You must be extremely careful not to outsource to companies in the EU or outside of the EU with shoddy data protection policies. If they fail your visitors in any way, it will ultimately be you who may be held responsible.
The GDPR’s Main Tenets
Now, down to the nitty-gritty. What exactly does the GDPR demand? It can be simplified to seven specific guidelines. We’ll review them in the next few sections.
Lawful, fair and transparent processing
You must be transparent about the data you collect, how it is used, and how you process the data. Visitors, leads, and clients should have access to an assigned Data Protection Officer (DPO) if they have questions about their data or your data collection process. Customers and visitors should have access to this information from your website.
For most digital marketers, the biggest change here will be assigning and training a DPO in the first place. However, it may also require that you expose your third-party partners if you’re associated with other data processors or server providers. It also means you need to be exceptionally careful about who you partner with for data processing and storage.
You can no longer collect data solely for the purposes of collecting data. Instead, you need to have a specific and lawful reason for collecting the data.
For digital marketers, this tenet will be especially important; it means you can’t ask your leads for more information than you lawfully need on signups, campaign interactions, and contact forms.
In practice, you probably can’t ask someone for their home address or telephone number if you ask them to sign up for a newsletter or whitepaper. But you can ask them for that information if you’re shipping them a product.
The GDPR also indicates that digital marketers must only collect data that is “specifically relevant and limited.” Essentially, you can’t hold on to a significant amount of the data you’re probably using already, including customer behavior data, marketing campaign interaction histories, and possibly even shopping or conversion histories, for later use or “just because it might be useful later.”
Instead, the GDPR demands that entities hold on to the least amount of data needed to serve the visitor or customer. This will make remarketing and campaign analysis much, much harder, and could even eventually impact services like Google Analytics, which tracks customer behavior, usage patterns, and even on-page click zones.
Accurate and up-to-date processing
In some ways, this tenet actually helps digital marketers because it encourages us to better serve our customers. The GDPR states that online entities must take steps to make sure the data they collect and store is accurate, up-to-date, and continuously fit for the purpose it was collected for in the first place.
The biggest change in digital marketing will be how we use data that is constantly collected or saved over time. Instead of assuming what we have is accurate and framing campaigns around the information we have, we need to find ways to validate the data. This may include asking leads to confirm (if there is a lawful reason) or simply running algorithms that detect erroneous data. Digital marketers who simply run with data that contains errors may be considered noncompliant.
Limitation of storage
Digital marketers won’t be able to store personally identifying data long-term any longer unless there is a specific and lawful need. But the GDPR doesn’t just stop there; it also specifies that entities must have full control over data storage, data movement, data management, and data protection.
This will impact digital marketing in a few different ways. Primarily, you won’t be able to make endless data backups anymore – instead, you need to focus on limiting how many backups you keep. The GDPR also requests that digital marketers take steps to understand how subjects might be identified if a breach occurs, and then work to limit that personally identifying information or access risk wherever possible.
Limitation of storage also impacts where you store your data. For example, digital marketers can’t store data in multiple places, on easily removable data storage options like USB sticks, or on employee-specific laptops. The GDPR considers these locations and storage methods to be insecure and non-compliant, which will likely cause quite a few headaches for the average digital marketing agency, especially if you work with contractors. Agencies and marketers will need to craft tight data retention and management policies to compensate.
Confidential and secure
The GDPR’s sixth tenet focuses on making sure that data collection measures are confidential and secure, but it isn’t as straightforward as it sounds. The new privacy protocols extend to computer systems, networks, paper records, physical records (e.g., portable storage drives), and even email servers.
Essentially, the GDPR indicates that the entity collecting the data must be responsible for enacting appropriate security measures along the way. This includes how you prevent hacking incidents, how you prevent malicious employees from stealing information, and even how you interact with third-party data processors, including ISPs and server providers.
To become compliant in this specific area, digital marketers will need to create access policies for everyone at the agency or within the business. Employees should have only access to what they need – no more, no less. Systems must be protected from intrusion, both offline and online, including viruses, malware attacks, and ransomware attacks.
Accountability and liability
Last but not least is the GDPR’s accountability and liability statement. The privacy protocols demand that all entities serving or interacting with EU citizens in any way must be able to actively demonstrate compliance on demand. And that demand could potentially come at any time, especially if you serve an EU market or an EU citizen happens to complain about your data policies along the way.
Exactly what “demonstrate compliance” means is a little bit difficult to pin down. What we do know so far is that businesses must be able to identify how, when, where, and what they do to protect data as per each of these tenets. But marketers must also be willing and able to respond to requests from data subjects, including requests to review data collected and requests to wipe the data from records completely.
This goes beyond just having opt-out options on emails and account deactivation options on your website. In fact, the GDPR doesn’t even consider deactivation as a from of data removal at all anymore. Only full, complete deletion is in compliance with their privacy protocols.
Ultimately, digital marketers will need to create a process that not only fulfills the guidelines, but is also auditable and provable at every single step from collection to deletion. If you can’t do that, or if you break any of the other tenants on this list, you could be held responsible for up to four percent of your global annual turnover, or $20,000,000, whichever is the higher number.