Tag: gdpr

Categories
Digital Marketing

GDPR: What US-Based Businesses Need to Know

The passing of GDPR legislation in the European Union (EU) has changed the way businesses and websites need to do business in order to protect the personal information of consumers and site visitors. While US-based business owners may not think it applies to them, you need to think twice. Websites that attract a global audience may need to comply with certain GDPR regulations or risk being blocked so that citizens of the EU can no longer see your content.

What Exactly Is GDPR?

GDPR stands for General Data Protection Regulation. All companies that do business within the 28 EU member states must comply with the new legal framework. The GDPR was adopted in 2016 to replace the Data Protection Directive, which had been implemented a little over 20 years earlier and was considered extremely outdated.

As a directive, the original Data Protection Directive allowed for member states to customize the rules and regulations to meet their own unique needs. The GDPR is a regulation that does not allow for any customization or leeway at all; all of the EU’s member states must fully comply.

The GDPR is rather lengthy, with a total of 99 articles that describe all of the regulations and how they obligate business owners and protect individual rights. Most notable is the fact that personal information or data of EU citizens that is imported from various locations and countries outside of the EU must also be protected.

Does the GDPR Apply to US-Based Businesses?

Absolutely. US-based businesses need to pay special attention to the GDPR. If your business or website touches the data of a EU citizen in any way, shape, or form, whether you are aware of it or not, your business must be GDPR compliant. US-based airlines, hotels, and businesses of all kinds must handle the information of EU citizens in a way that complies not only with their own local laws, but with the GDPR as well.

There are certain pieces of personal data that are very specifically outlined by the GDPR.

These include:

  • Anything personally identifying (birthdates, SSNs, addresses, and names)
  • Health information, including genetic testing and other forms of data
  • Anything that is web-based, including IP addresses and cookies
  • Information regarding sexual orientation and/or gender
  • Ethnic and racial information
  • Biometrics
  • Political information

There are certain criterion for identifying whether you must comply with GDPR. Be aware that you should use these as a guideline, but don’t assume you are safe just because none of these entries apply to you. You should always speak with a lawyer to be sure.

The criteria for businesses that must comply with GDPR include:

  1. Processing the personal information of EU residents, whether your business has a presence in the online space or not. E.g., processing catalogue orders or sending out products through the mail.
  2. Having a business with a presence in a member country (any country that falls under the European Union or EU). Find the full list of countries
  3. Having more than 250 employees and/or having less than 250 employees (if the information you regularly collect can impact a citizen’s rights).

How to Comply with GDPR Regulations

When GDPR first went into effect, you probably received a dozen or more emails from companies you do business with letting you know that their privacy policies had been updated.

Even Facebook prompted users to review their privacy settings, putting special emphasis on what information advertisers could see and how they could be targeted.

This made sense at the time because repercussions were VERY serious. Any US-based business with a web presence needs to be in compliance with GDPR regulations at all times; ignorance of the law or regulation will not protect you.

The first thing to remember is that if the EU citizen who is using your website is physically in the EU at the time, your website must comply. If the EU citizen is not physically within the EU at the time they are using your website – perhaps they are visiting the United States – GDPR regulations do not apply.

The second thing you need to know is that there does not need to be a financial exchange for a product or service for GDPR to apply. Marketing surveys, email newsletters, and any forms that collect data require you take action to protect the EU citizen’s personal and private data.

Where things become more confusing is that your website needs to specifically target EU members in order for GDPR to apply. For example, if you are a small B2B organization with an English website that is really geared towards US consumers but a person living in a EU country finds your website and wants to make a purchase, you do not need to be in compliance with GDPR.

If your website specifically targets, in any way, to EU countries, via language and other campaign goals, you must comply. Accepting another country’s currency, having an alternate domain with another country’s web suffix, or having content written in another country’s language makes you complicit as well.

Heavily Impacted Industries and Compliance

The most impacted US-based industries known for doing international operations are those that all into the hospitality industry and travel. Companies that deal in e-commerce, technology, and software should be especially conscious as well. Any website owner who could potentially market in the EU should review their website and organizational practices to be sure they are compliant.

The biggest issue with compliance is that consumers must be able to give consent. There are specific criteria for ensuring consumers are informed and the language must be unambiguous. In other words, clients get to opt-in; you do not get to force them to opt-out.

Even if a customer were to make a purchase from you, doing so does not give you permission to add them to a mailing list and continue to make contact via email promotions. A customer must have a box to check to give permission – no exceptions.

Not sure how to implement opt-ins? Call us at the Sachs Marketing Group office. Through our web design service, we can help you optimize and adjust to ensure opt-ins are present without distracting from conversions.

Complications and Consequences

The documentation and articles that make up GDPR is lengthy, complicated, and can be relatively confusing to the average business. If you have any doubts at all, contact a lawyer with experience in ecommerce and GDPR regulations.

Failure to secure consumer data or to respond appropriately to potential breaches (within 72 hours, usually) can result in hefty fines and penalties. There is no room for error when it comes to securing the personal data of consumers anywhere, but those protected by GDPR are watching carefully for any breach in protocol. Take the steps you need now to revamp your web practices, guidelines, and internal policies so that you don’t end up in news headlines later. 

Categories
Digital Marketing

How the GDPR is Changing Digital Marketing

General Data Protection Regulation (GDPR) is coming. Only another month until it’s officially in place; do you understand it enough to stay compliant?

It’s no secret that the GDPR is raising some very significant and important conversations across the United States right now, especially in the realm of marketing. While it will mostly impact the European Union (EU) experts are predicting the GDPR will spark mass changes in digital marketing all across the world.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new privacy policy being rolled out by the European Union this year. It was initially passed into law in April of 2014, but the official enforcement date was set to May 25, 2018 to give businesses and online entities time to make changes and become compliant.

Essentially, the GDPR demands that online businesses must take active steps to protect privacy and submitted data from visitors in the EU. While it is meant to be specific only to EU residents, most marketing experts agree that businesses from other nations are likely to follow suit with similar policies (more on that later in the article).

Unlike general privacy policies, the GDPR is fairly broad and wide-ranging in what it considers “personal identification information.” It includes not only name, address, social security numbers, and credit card numbers, but also IP addresses, cookies, and saved site information that directly relates to each customer (including shopping histories or search histories).

Why the GDPR Won’t Only Impact EU Markets

Companies within the EU and those serving the EU markets will obviously be impacted the most by these new privacy laws. But it isn’t just the EU market that will feel the sting – why is this?

Essentially, experts believe it will become too difficult to create multiple policies for each area of the world, especially if that online entity is straddling multiple markets at the same time. Having a separate privacy policy for EU residents and, say, US residents would demand that website owners and marketers create two different content sets for each market – significantly more work.

As a result, many of these multinational digital marketers and online entities will default to a single, EU-specific policy that gets applied across the board.

How Far-Reaching is the GDPR for Digital Marketers?

The other issue is the misconception that just because you operate outside of the EU or don’t serve an EU market, you don’t need to be compliant. This is patently false. Compliance also applies to anyone interacting with the EU market in any way at all, including:

  • Entities with EU-based servers
  • Entities using EU-based third-party processors/publishers
  • Entities with EU-based offices (online or offline)
  • Entities visited by EU residents (even if not the target audience)
  • Entities using EU-based CDNs or data storage networks

The last point is especially important for digital marketers who outsource services. You must be extremely careful not to outsource to companies in the EU or outside of the EU with shoddy data protection policies. If they fail your visitors in any way, it will ultimately be you who may be held responsible.

The GDPR’s Main Tenets

Now, down to the nitty-gritty. What exactly does the GDPR demand? It can be simplified to seven specific guidelines. We’ll review them in the next few sections.

Lawful, Fair and Transparent Processing

You must be transparent about the data you collect, how it is used, and how you process the data. Visitors, leads, and clients should have access to an assigned Data Protection Officer (DPO) if they have questions about their data or your data collection process. Customers and visitors should have access to this information from your website.

For most digital marketers, the biggest change here will be assigning and training a DPO in the first place. However, it may also require that you expose your third-party partners if you’re associated with other data processors or server providers. It also means you need to be exceptionally careful about who you partner with for data processing and storage.

Purpose Limitation

You can no longer collect data solely for the purposes of collecting data. Instead, you need to have a specific and lawful reason for collecting the data.

For digital marketers, this tenet will be especially important; it means you can’t ask your leads for more information than you lawfully need on signups, campaign interactions, and contact forms.

In practice, you probably can’t ask someone for their home address or telephone number if you ask them to sign up for a newsletter or whitepaper. But you can ask them for that information if you’re shipping them a product.

Data Minimization

The GDPR also indicates that digital marketers must only collect data that is “specifically relevant and limited.” Essentially, you can’t hold on to a significant amount of the data you’re probably using already, including customer behavior data, marketing campaign interaction histories, and possibly even shopping or conversion histories, for later use or “just because it might be useful later.”

Instead, the GDPR demands that entities hold on to the least amount of data needed to serve the visitor or customer. This will make remarketing and campaign analysis much, much harder, and could even eventually impact services like Google Analytics, which tracks customer behavior, usage patterns, and even on-page click zones.

Accurate and Up-To-Date Processing

In some ways, this tenet actually helps digital marketers because it encourages us to better serve our customers. The GDPR states that online entities must take steps to make sure the data they collect and store is accurate, up-to-date, and continuously fit for the purpose it was collected for in the first place.

The biggest change in digital marketing will be how we use data that is constantly collected or saved over time. Instead of assuming what we have is accurate and framing campaigns around the information we have, we need to find ways to validate the data. This may include asking leads to confirm (if there is a lawful reason) or simply running algorithms that detect erroneous data. Digital marketers who simply run with data that contains errors may be considered non-compliant.

Limitation of Storage

Digital marketers won’t be able to store personally identifying data long-term any longer unless there is a specific and lawful need. But the GDPR doesn’t just stop there; it also specifies that entities must have full control over data storage, data movement, data management, and data protection.

This will impact digital marketing in a few different ways. Primarily, you won’t be able to make endless data backups anymore – instead, you need to focus on limiting how many backups you keep. The GDPR also requests that digital marketers take steps to understand how subjects might be identified if a breach occurs, and then work to limit that personally identifying information or access risk wherever possible.

Limitation of storage also impacts where you store your data. For example, digital marketers can’t store data in multiple places, on easily removable data storage options like USB sticks, or on employee-specific laptops. The GDPR considers these locations and storage methods to be insecure and non-compliant, which will likely cause quite a few headaches for the average digital marketing agency, especially if you work with contractors. Agencies and marketers will need to craft tight data retention and management policies to compensate.

Confidential and Secure

The GDPR’s sixth tenet focuses on making sure that data collection measures are confidential and secure, but it isn’t as straightforward as it sounds. The new privacy protocols extend to computer systems, networks, paper records, physical records (e.g., portable storage drives), and even email servers.

Essentially, the GDPR indicates that the entity collecting the data must be responsible for enacting appropriate security measures along the way. This includes how you prevent hacking incidents, how you prevent malicious employees from stealing information, and even how you interact with third-party data processors, including ISPs and server providers.

To become compliant in this specific area, digital marketers will need to create access policies for everyone at the agency or within the business. Employees should have only access to what they need – no more, no less. Systems must be protected from intrusion, both offline and online, including viruses, malware attacks, and ransomware attacks.

Accountability and Liability

Last but not least is the GDPR’s accountability and liability statement. The privacy protocols demand that all entities serving or interacting with EU citizens in any way must be able to actively demonstrate compliance on demand. And that demand could potentially come at any time, especially if you serve an EU market or an EU citizen happens to complain about your data policies along the way.

Exactly what “demonstrate compliance” means is a little bit difficult to pin down. What we do know so far is that businesses must be able to identify how, when, where, and what they do to protect data as per each of these tenets. But marketers must also be willing and able to respond to requests from data subjects, including requests to review data collected and requests to wipe the data from records completely.

This goes beyond just having opt-out options on emails and account deactivation options on your website. In fact, the GDPR doesn’t even consider deactivation as a from of data removal at all anymore. Only full, complete deletion is in compliance with their privacy protocols.

Ultimately, digital marketers will need to create a process that not only fulfills the guidelines, but is also auditable and provable at every single step from collection to deletion. If you can’t do that, or if you break any of the other tenants on this list, you could be held responsible for up to four percent of your global annual turnover, or $20,000,000, whichever is the higher number.

Exit mobile version
Skip to content