Evolving technologies have provided marketers with many new opportunities to leverage big data to better understand customers and build relationships with them, but new data protection legislation is just around the corner. Prior to the implementation of the European Union’s new General Data Protection Regulations (GDPR) on May 25th, 2018, marketing organizations based outside of Europe will have to make a critical business decision – are they going to treat all customers like Europeans or not. Those who choose the former implicitly embrace a more global mindset and customer data protection rights, while those who choose the latter risk massive fines from a governmental organization that is looking to make an example of someone. With penalties up to 4% of gross revenues or $20 million euros, whichever is higher, there are meaningful stakes at play. To put this into context, the $2.7 billion fine levied by the EU against Google in January of this year was only 2.5% of their annual revenue.
If you don’t think your business will be impacted, think again. GDPR is all about the customers and their data. This legislation is a replacement of the EU’s general data protection directive from 1995 and the Privacy Shield (the successor to Safe Harbor) legislation. If you have customers who are EU citizens and you either control or process customer data as part of a sale of goods or services then your business is affected by this law. It does not matter whether EU customers are physically in Europe or not. With country of citizenship not being a commonly collected data point, marketers will be at risk of incurring GDPR penalties because they will not know which guidelines to follow with individual consumers. There are additional complications for marketers as this legislation conflicts to varying degrees with legislation in other countries including the U.S. FDA recall guidelines, and specifically with regard to notifications and expediency.
Regardless of the challenges associated with GDPR, what is clear is that a fundamental shift in customer data rights is coming and marketers need to be prepared. At the heart of these rights is control over:
- Consent and Objection
- Data Access and Correction
- Data Portability
- Right to Erasure
Marketers should review their programs, policies, vendor agreements, and make updates to their data management practices prior to May 2018. The 15 areas listed below are a solid starting point to better understand and meet the new GDPR requirements:
- Consent: Consent request and purpose must be clear and require an affirmative response which means no more pre-checked boxes. There are also more stringent parental consent rights for the processing of data for those under 16 years of age. To address these changes, review and update your unsubscribe processes.
- Profiling: Implement processes that allow for individuals to object to, and halt, processing of their data for automated decision making or profiling. Consent language also needs to be clear about the profiling activities used for marketing purposes.
- Access: Customers have the right to access their data free of charge and it must be provided within a month of the request.
- Objection: Individual data subjects must be informed of their right to opt-out of direct marketing communications, which cannot be a condition of an incentive or offer. They also have the right to object to and request that inaccuracies in their data be corrected.
- Portability: The Right of Portability requires marketers to provide a portable copy of an individual’s data at the individual’s request and in a secure manner.
- Erasure: The Right of Erasure requires deletion of all personally identifiable data, at a minimum, at the consumer’s request. Other legal obligations may override this right in a very limited set of circumstances but this right is stronger than the previous Right to be Forgotten.
- Personal Data: The definition of Personal Data has expanded to include cultural, economic, genetic, mental, and social identity.
- Breaches: Review and update your protocols for breach management, notifications, and escalation. Notice must now be provided to the controlling authority within 72 hours of breach identification.
- Contracts: Review and update all your data processing agreements to comply with processing direction, usage transparency, indemnification, and notification requirements.
- Transparency: Review and update terms, conditions, and privacy notices to make them easily accessible and in plain language.
- DPO: Hire or appoint a Data Protection Officer (DPO) who has access to senior management to manage process change, compliance, and education.
- PIA: Privacy Impact Assessments (PIA) are mandatory in some situations for automated processing systems and you should establish processes to conduct them.
- Privacy by Design: Privacy by design must be part of any product, system, and process development that involves the processing of personal customer data.
- Record: Controllers and Processors must keep records of all processing activities, data subject objections, and consent.
- Data Retention: Large scale data cleansing needs to be undertaken prior to May 2018 to comply with retention for old and unused data.
As with any new legislation, there will be a period of transition as marketers start to understand and comply with the law. However, if unaddressed, each of the areas outlined above will represent a potentially significant financial risk to their organization. Marketers still have time to learn about GDPR and make the necessary changes before the law comes into effect in May of 2018 but they need to start down that path soon. Until marketers are able to distinguish their customers by country of citizenship, the financial stakes are too high not to treat all customers as if they are European. Welcome to Europe!
Check out our GDPR library for more best practices to help with compliance: