Rumors around the European Union’s General Data Protection Regulation (GDPR) have turned into full-on rumblings in recent months, as the new rules go into effect in May. The EU regulation will affect how marketers across every business and industry interact with consumers.
In practice GDPR will shield consumers from the default position of having their personal data tracked across the internet. If an EU consumer wants their personal data to be accessible for collection and tracking, they must take specific steps to consent.
The details matter, so here's an overview of the regulation and its implications — note this is not legal advice. As always, we encourage you to consult with your own legal counsel to familiarize yourself with the requirements that govern your specific situation. Salesforce is committed to helping you remain successful in this new environment, and believes that understanding the ins and outs is the best place to start.
GDPR stands for General Data Protection Regulation. It regulates how companies can collect, process, and use personal data from EU individuals. It was adopted in 2016 and goes into effect May 2018. For marketers, in particular, the regulation impacts how you keep track of and communicate with consumers.
While the GDPR applies to companies headquartered in the EU, it also applies to any business or organization processing the personal data of EU individuals, regardless of where they are headquartered.
The consequences for noncompliance are steep. Serious infractions carry a fine of up to €20 million or 4% of a company’s annual earnings, whichever is greater.
The EU is sending a clear message that it’s taking a strong stance on data protection. For that reason, marketers need to be ready to comply.
While, for now, the new law only affects brands located or doing business in the EU, all marketers should be aware of GDPR requirements for how companies must collect, process, and delete consumer data.
A big push behind the GDPR is the desire for more transparency between consumers and companies when it comes to personal data. Consumers want to know when, how, and why their personal data is being collected.
The GDPR requires companies to inform consumers of all the personal data collected about them and how it will be used. Companies must also notify consumers that they may revoke their permission to collect and use that data at any time.
Since GDPR doesn’t recognize opt out consent as the default, this means that when a new consumer opens an account, makes a transaction, or signs up for a newsletter, pre-checking a consent box to collect or use their data for any other reason will no longer cut it. Consumers must be given the opportunity to decide whether to give consent (or opt-in) to any use of their data for communications, tracking, or anything else. This means marketers will need to come up with more creative tactics to encourage consumers to opt in for things like product suggestions and communications.
These rules apply to data collected not only after the regulation goes into effect, but also to data collected before, as well. Unless marketers have been following practices that would meet GDPR standards all along, they must obtain opt-in consent from consumers or discontinue use of the data they’ve collected.
Once you have obtained consent to use a consumer’s data, the important thing to remember is to use it only for that reason. If you want to use it for another reason or to share it with another party, you must obtain separate permission from the consumer to do so. For example, if a consumer opted in to receive product offers via email and now you’d like to track their activity across your website as well, you’ll have to obtain separate consent to do so.
The other important part of the GDPR that pertains to using data is the safe and secure storage of it. This encompasses many definitions of “safe and secure,” including:
Storing it in a way that it cannot be stolen, lost, or altered.
Encrypting it during transit to prevent it from being accessed by unauthorized people or systems. If you already use Marketing Cloud, you don’t need to worry about this.
Ensure that only the people — marketers, for example — who need to access it for the specified purpose are able to do so. Marketing Cloud already segregates data at the account level, so that only properly designated people can access it.
The GDPR stresses that protection is especially critical for biometric data — for example, a fingerprint that can be used to unlock a phone — or data about children.
Finally, the GDPR governs how companies relinquish data once their relationships with consumers have ended. To protect consumers’ “Right to Erasure,” companies must now have a plan in place for deleting data. As mentioned above, the GDPR says that companies may only use personal data with clear consent by the consumer and for a specified purpose. Once that purpose has been fulfilled, a company must justify any reason for continuing to hold onto personal data.
If at any time, a consumer requests their personal data be deleted by a company, the company must respond within thirty days (keeping in mind the right to deletion is not absolute under the GDPR). Similarly, if a person requests a correction or updates to their personal information, the company must respond to that request within 30 days.
The GDPR is all about transparency and protecting the rights of consumers. Companies that do business in the EU can protect themselves by following GDPR requirements and keeping detailed records to demonstrate their compliance.
At the end of the day, the GDPR clarifies the relationship between consumers and brands, encourages transparency, and protects the rights of EU individuals. Brands that comply — and many already have practices in place that do so — can benefit from a more trusting and open relationship with the people they depend on.
To learn more about the GDPR and how it affects you, click here.