A few weeks ago, we covered the Facebook case and its breach in data privacy regulations with the Cambridge Analytica scandal. This week, we will go more in-depth about GDPR, and how to avoid making a similar mistake.
Have you been receiving data policy updates from companies such as Google and Facebook? Lately, it appears every online company has updated their data policies, and it’s certainly not by coincidence.
GDPR, or General Data Protection Regulation, is a regulation in the European Union Law that protects the privacy and data of individuals within the EU. Because of the versatility of the internet, companies can gather, store, and use consumer data. But the question is, how responsibly do they handle user data?
To protect EU citizens’ data privacy and restructure the way that organizations approach data privacy, the GDPR was approved by the EU Parliament on April 14th, 2016, and will be enforced on May 25th, 2018. This means that any company involved with online marketing efforts will have to comply, regardless of where they are headquartered.
What does it mean to comply with the GDPR? Previously, many lawsuits noted the ambiguity of where this regulation will take place – is it where the company is headquartered, where the data was processed, or where the data collection activities take place? With the change in GDPR, the regulatory landscape extends past EU territory. If your goods or services take place in the EU, then the regulation applies to your company.
Penalties and how the breaches occur are also major changes in GDPR. The maximum fine for organizations is 4% of annual global turnover, or 20 million euros – whichever is greater. A company can be fined up to 2% for not notifying authorities about a breach or not conducting an assessment. Cloud processors can also be penalized.
Finally, consent to collect data is strengthened. Now, data collection and processing companies must include a form to request users to consent. It also must be as easy to withdraw consent as it is to give consent. This change, in addition to the location in which the regulation will take place, will affect the process in which companies conduct their marketing campaigns.
Although your company might not have online services, companies need to comply with GDPR when creating marketing campaigns, specifically in 3 areas – getting consent/permission, deleting data, and data transparency.
Let’s use an email campaign as an example. To obtain an email address, a user must opt-in their email address. You see this in pop-ups for newsletters, free trials, contact pages, and any form that requires visitors to fill out a form. The form itself needs to be GDPR compliant by explicitly stating what this information will be used for.
Before the update in GDPR, companies could place this statement in small text at the bottom of a form. Now, the user must actively agree to the terms and conditions, and approve that their data be used for email marketing. Visually, these can be check boxes where users can select how their data is collected and retained.
Companies must have specific reasons for user data, therefore the data must be focused. Data must be used and retained for only the length of time it meets that purpose. Any other purpose must be re-consented.
If a user denies the re-consent request, users should be able to easily revoke permissions to access their data themselves. Companies must also delete users’ data after the user revokes permissions.
What does this look like in email marketing? Using our previous example, consent must be given for the exact use of the data. If the use is explicitly stated, and the user gives consent, then the data collection and retention is compliant with GDPR.
The GDPR will be enforced on May 25th, 2018, which is only a short 2 weeks from today. Although it seems like more effort to include additional steps in the campaign, marketing campaigns will be more focused and organized in the long run. SEO and marketing companies such as ASTOUNDZ are not foreign to change – in fact, we seem to always find a way to adapt. Marketers should not fear the changes in GDPR, but instead use it to their advantage. Stay prepared and compliant, because your competitors might not be and might see consequences from it. Does this mean more room in the industry for compliant companies such as yours? I think so.