GDPR is Approaching: Are You Ready for the Data Privacy Challenge?

It’s coming. A new regulation in the European Union is about to change the way that your company needs to manage its customer data.

Taking effect on May 25, the General Data Protection Regulation (GDPR) imposes strict new privacy restrictions governing the collection and use of personal data of European Union (EU) citizens. But it doesn’t apply just to companies based in the EU: Compliance is required for any company that has data on any EU citizens, who number more than 500 million. Chances are, your company falls in this bucket.

The implications for marketers are far-reaching. For instance, a U.S. company that uses cookies when an EU citizen visits their website is affected by GDPR if that visitor data is collected in web form-fills. Any sales, marketing or advertising that involves personal EU citizen data falls under the GDPR umbrella. Let’s say a EU citizen gets her conference badge scanned at a trade show exhibit booth in Tokyo, and the lead data is then uploaded into a CRM in Denver — that counts. It will not matter where the data was collected or uploaded or where a marketing campaign is launched, as long as it’s data that represents an EU citizen, you’re subject to the GDPR no matter where data is stored.

GDPR has been in the works for several years, yet the analyst firm Gartner estimates that 50 percent of companies will fail to comply with the regulations when they take effect. Non-compliance carries fines of up to €20 million ($24.8 million) or 4 percent of annual revenues, whichever is greater.

It remains to be seen how aggressively GDPR will be enforced both within the EU and globally, but there is no doubt that GDPR is a watershed moment for all marketers. A U.S.-based company with operations in the EU can certainly be subject to fines for GDPR violations. And while the situation is less clear for companies without a presence in the EU (but which have data on EU residents), experts say that legal frameworks are in place for enforcement actions.

Fundamentally, the GDPR aligns the disparate EU nations under one data privacy law and empowers EU citizens with new rights to guard their privacy. In the regulation, citizens are called “data subjects,” and companies that collect and hold consumer data are “data controllers.” Third parties that process consumer data for a data controller are called “data processors.” For instance, Treasure Data is a data processor for its data controller customers.

GDPR introduces new requirements for companies in several key areas:

• Right to data access. EU citizens have the right to request and receive detailed information on what data your company possesses on them and how it’s utilized.
• Data portability. EU citizens have the right to ask that your company transmit their data to another company, making it easier for them to switch to a competing service or product provider.
• Right to be forgotten. EU citizens can demand you delete all information you have on them (called “data erasure”), and can revoke consents they might have given you previously.
• Breach notification. Applying to both data controllers and processors, this requires that EU citizens be notified within 72 hours of a data breach that might compromise their privacy.

From the Information Commissioner’s Office (ICO): “Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.”

If you’re not yet ready for GDPR compliance, what should you do? Unfortunately, there’s no simple plug and play solution. Full compliance with GDPR is necessarily a multi-faceted effort that requires data assessments, new processes and more stringent controls on how you collect, use and share data involving EU citizens.

One challenge is simply documenting where personal data resides. Sources can range from transactional systems to marketing automation, CRM and customer service applications, as well as data intake from third-party service providers. If you’re a Treasure Data customer, then you have consumer data in the Treasure Data Customer Data Platform as well.

You’ll need to rethink the processes by which you collect and share data, and ensure mechanisms to identify those consumers who are EU citizens and secure their explicit consent for data collection. You’ll also need to establish processes by which you reply to GDPR-related requests from EU citizens, and notify them in the event of a data breach.

GDPR compliance will be something of a journey, but it’s a necessary one. Of course, concerns over consumer data privacy are not exclusive to the EU. Citizens around the world are increasingly concerned over the privacy of their data and GDPR compliance can be the forcing function to help companies strengthen data privacy programs and demonstrate accountability, transparency and trust with customers. Furthermore, as marketers we fundamentally know that having only the most qualified and interested contacts in our database, from those who have given us permission to speak to them in a personalized manner while respecting their privacy, reflects well on our brand and fosters deeper customer loyalty.

For the latest marketing guidance on preparing for GDPR, please download The Marketer’s Guide to GDPR here.

*The information in this blog is for general informational purposes only. Please be aware that legal requirements change from time to time and depend on your individual situation. Nothing in this blog should be construed as legal advice or creating an attorney-client relationship. Readers should consult their own legal advisors before acting on any information in this blog.