Evolving technologies have provided marketers with many new opportunities to leverage big data to better understand customers and build relationships with them, but new data protection legislation is just around the corner. Prior to the implementation of the European Union’s new General Data Protection Regulations (GDPR) on May 25th, 2018, marketing organizations based outside of Europe will have to make a critical business decision – are they going to treat all customers like Europeans or not. Those who choose the former implicitly embrace a more global mindset and customer data protection rights, while those who choose the latter risk massive fines from a governmental organization that is looking to make an example of someone. With penalties up to 4% of gross revenues or $20 million euros, whichever is higher, there are meaningful stakes at play. To put this into context, the $2.7 billion fine levied by the EU against Google in January of this year was only 2.5% of their annual revenue.
If you don’t think your business will be impacted, think again. GDPR is all about the customers and their data. This legislation is a replacement of the EU’s general data protection directive from 1995 and the Privacy Shield (the successor to Safe Harbor) legislation. If you have customers who are EU citizens and you either control or process customer data as part of a sale of goods or services then your business is affected by this law. It does not matter whether EU customers are physically in Europe or not. With country of citizenship not being a commonly collected data point, marketers will be at risk of incurring GDPR penalties because they will not know which guidelines to follow with individual consumers. There are additional complications for marketers as this legislation conflicts to varying degrees with legislation in other countries including the U.S. FDA recall guidelines, and specifically with regard to notifications and expediency.
Regardless of the challenges associated with GDPR, what is clear is that a fundamental shift in customer data rights is coming and marketers need to be prepared. At the heart of these rights is control over:
Marketers should review their programs, policies, vendor agreements, and make updates to their data management practices prior to May 2018. The 15 areas listed below are a solid starting point to better understand and meet the new GDPR requirements:
As with any new legislation, there will be a period of transition as marketers start to understand and comply with the law. However, if unaddressed, each of the areas outlined above will represent a potentially significant financial risk to their organization. Marketers still have time to learn about GDPR and make the necessary changes before the law comes into effect in May of 2018 but they need to start down that path soon. Until marketers are able to distinguish their customers by country of citizenship, the financial stakes are too high not to treat all customers as if they are European. Welcome to Europe!
Check out our GDPR library for more best practices to help with compliance:
*This presentation is designed to provide a basic level of understanding of GDPR and highlight key areas we think are most critical to our clients. This is not legal advice. All marketers should consult their legal counsel to address their unique needs and compliance requirements. As some aspects of the law are clarified or amended our position on some elements are subject to change without notification.