The European Union’s General Data Protection Regulation will affect many businesses located outside of Europe. While the headlines have been dominated by the hefty fines for non-compliance, but there are positives, including getting to know the consumer data you have, ensuring you have permission, and vetting service providers.
If you’ve read the stream of articles about the General Data Protection Regulation (GDPR), then you’re probably familiar with the consensus that Europe’s new regulation will significantly impact businesses that handle consumer data.
In addition to the serious fines for violating the new regulation (up to 20 million euros or 4% of global annual revenue, whichever is greater), GDPR, which becomes enforceable on May 25 of this year, is particularly significant for US-based advertising for two reasons:
- Its scope is extra-territorial, which means its rules are not restricted to Europe, but rather apply anywhere both inside and outside the European Union. This means that a US marketer must understand and comply with the components of GDPR if they intend to collect, retain, or use European consumer data.
- GDPR is a significant departure from existing US data protection regulations and the familiar practices that have developed around them. The changes mean it can be challenging to extrapolate what you should be doing to prepare.
If you’re feeling overwhelmed, take heart in knowing you’re not alone. That said, if you haven’t already started preparing, consider taking the following steps.
1. Know what personal consumer data you have
The GDPR covers every type of data about a single European individual – whether identifiable or anonymous – no matter where it is in the world or what industry has collected it. Not only are US marketers who collect EU consumer data accountable for GDPR compliance, but under GDPR they can no longer rely on the concept of anonymity or de-identification to justify collecting and using cookie data, impression data, or de-identified personal data without express consent from the consumer; they are all still protected categories of information for EU consumers under the GDPR’s definition of “personal data.”
This means that at the very least, you need to know if your data asset contains information on European consumers. If it does, it’s covered by GDPR and requires additional care.
If you haven’t already conducted a data inventory, now would be an appropriate time to do one. A good data inventory documents what the data is, where it is from, how old it is, how it was obtained, and what notice was presented to the consumer at the time of collection. And if you’re already poring over your dataset, you might as well document your entire asset to understand your data overall. It will probably come in handy down the road.
2. Make sure you have permission to collect, retain, and use personal data
Under the GDPR, consumers must affirmatively and unambiguously consent to the collection of their data and each intended use. This is the opposite of the “opt out” or passive consent model applied in the US. It means that companies must clearly explain their data collection practices and provide a means for consumers to expressly and voluntarily permit the collection and use of their data. In other words, pre-checked boxes for marketing communications are no longer acceptable, neither is assuming that you can use personal data collected during a transaction for advertising, nor is making consumer consent a condition of service.
If you have EU consumer data or you intend to collect it, you must make sure you have obtained opt-in consent to do so. And if you don’t have a way to demonstrate that consent was express and voluntary, then you should refrain. Any data collected prior to May 25, 2018, is illegitimate if the notice and choice available to consumers at the time the data was collected does not meet GDPR standards; there is no “grandfathering in” of old data.
This sounds like a big change, and it is certainly necessary for any European data, but it’s worth noting that it is also a best practice for your US data as well. Good data privacy practices can still be a market differentiator, and GDPR could be an impetus for positive changes in your company’s data collection practices.
3. Make sure you offer a way for consumers to adjust their preferences or rescind their consent
GDPR gives consumers control over their own data in part by codifying their data rights. This too is different from the US data model, which assumes that the data is owned by those who have it, not by the original source (the consumer). The GDPR’s Subject Access Rights mean companies must provide a way for consumers to access, correct, delete, and move their data. Companies must provide European consumers a simple way to do all of these at any time. It must be as easy for consumers to consent to the collection of their data as it is to retract it.
The challenge here is not just in providing an interface to permit consumers to express their preferences, but also in honoring them. One suggestion is consolidating your customer data into a single CRM system for easier management if you haven’t already done so. It would promote efficiency and peace of mind for your operations – not just in your relationships with EU consumer data but with your US consumer data as well.
4. Vet your marketing service providers
As the controller of your marketing data, you are responsible for ensuring the protection of your customers’ personal data when it’s in the custody of your service providers. It would be a best practice to approach your US customer data with the same care required by GDPR for your European data, which means you should choose your service providers well.
Know what your processors have done to prepare for GDPR and whether there is anything they need from you. Depending on their role, they may need your assistance obtaining consent from consumers for the type of processing they perform. This is particularly true of marketing service providers who rely on cookies or site traffic data, since they may not have the direct interaction with your consumer that is necessary to obtain consent.
5. Plan your marketing campaigns with enough timeline to get the data you need and make sure you document your decision-making
A primary tenet of GDPR is appropriately balancing consumer risks with consumer benefits, which means “data minimization” is critical. Businesses should collect only what they need to operate and no more, and they should use only what they need so as not to put consumers’ personal data unnecessarily at risk.
Documentation is key. As you plan each campaign and each use of your customer data, think about the impact to the customer, discuss your data needs with your legal team to make sure you are providing the proper notice and taking the necessary precautions, and record why you determined it was acceptable to proceed. This documentation process is called a Privacy Impact Assessment (PIA), and there are standard templates available from organizations like the International Association of Privacy Professionals for your convenience. PIAs are discussed in the GDPR (referred to as Data Protection Impact Assessments or DPIAs) because they can be used to demonstrate thoughtful consideration of the risks and justifications for the campaign. Though the assumption hasn’t yet been tested, it’s possible a PIA could result in lesser penalties in the event a mistake occurs. And aside from the GDPR compliance benefit, PIA documentation could help you review your campaign history in the future. Win-win.
You should, of course, consult with your legal team to understand the nuances of how GDPR applies to your business and to your responsibilities specifically. The good news is there’s still time.
And if you prepare, there really is no bad news.