You may have seen the term “GDPR” buzzing around your LinkedIn feed or elsewhere on the internet, and rightly so: GDPR (General Data Protection Regulation) legislation is going into effect on May 25th of this year.
If your general counsel has already prepped you on GDPR and its implications on your business, feel free to stop reading, but if this term is new to you, or you didn’t realize that new legislation would affect your marketing programs, read on! But before you do, it’s important to note that this should not be considered legal advice. Your legal counsel or outside attorney should be consulted to ensure that any precautions you take are covered from a legal perspective as it relates to your jurisdiction.
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intended to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
Why should you care?
- GDPR is meant to protect an EU citizens’ personal data no matter where it is stored
- Legislation goes into effect on 25 May 2018
- Non-compliance is expensive: fines of €20 million or 4% of a company’s global annual revenue
The Six Principles of GDPR, summarized 1:
- Fair and Lawful
The processing of data must be lawful and transparent: tell people what you’re collecting, why, and how you intend to use it. - Adequacy
Data should not be transferred outside of the European Economic Area (EEA) unless adequate data protection is in place. - Purpose
You need a reason for every data point you collect: no more long forms with useless collection fields. - Accuracy
Citizens have the right to accurate portrayal of their personal data and a controller must make efforts to ensure it is accurate and up-to-date. - Retention
Data can only be retained for the amount of time needed for its original intended use. - Security and Accountability
Steps must be taken to ensure security, and data breaches must be reported within 72 hours.
How GDPR affects your company, and what you should be doing to ensure compliance
If you are marketing to individuals within the European Union, you need to ensure the following steps are taken into account:
Any email forms must contain a clear, affirmative action and a secondary check-box. For example, your message should be similar to “[checkbox] Yes, I want to receive regular emails.” Please note the checkbox must remain unchecked. This language can be flexible, however it may not be ambiguous, and consent must be given freely.
If you have data on an individual, they must be able to access their preferences at any time and must be able to remove any information that they have provided. Please keep in mind that aside from name, email address, physical address, etc, this also includes their IP address and any physical, cultural or social identifies that your marketing team has collected during marketing efforts (including advertising!). As new data is collected, consumers must be able to access and remove that data, too.
Have you re-opted-in existing EU users to comply with GDPR? The decision on how to best handle this is best determined at the company level with your legal counsel, however companies have been selecting a wide range of strictness in regards to their standards. Some companies send an email to their entire database, asking individuals to re opt-in to continue receiving communications. Others use a gauge of recent activity, such as an email open or click. Your legal counsel will be best suited to help make this decision.
Do you have unnecessary data that is irrelevant to your business needs? Are you storing any information about your consumers that is irrelevant to your business needs? If so, you will need to delete this information prior to 25 May 2018.
Here are three things to keep top of mind as we move towards May:
- Think global. Even if your company is not actively pursuing business in the European Union, you would be wise to enact measures now. As we’ve seen with anti-SPAM legislation in the past, other countries typically follow suit.
- Check for security vulnerabilities early, and often. If you are an international company and collect data from EU citizens, make sure you are actively pinging your website and databases for security vulnerabilities. Ensure your website technology is up-to-date: don’t ignore patch updates and recommendations from your E-commerce platform provider. Fix threats immediately, and report any security breaches within the required 72 hours.
- Ensure future data collection is compliant. Marketers have a tendency to throw everything but the kitchen sink into their email sign-up forms. While name, email and country are often required not only for ensuring compliance but also fulfill relevant marketing communications, other fields are not. GDPR legislation requires that companies delete any data that is not imperative to the operation of their business, so only collect what you need. Remember that advertising falls into this realm, too, especially if you’re running retargeting campaigns. And lastly, keep your software vendors in check: last October, MailChimp released an update to all forms on their platform, switching double opt-in to single, which caused an uproar among EU customers2. In a perfect world your vendors would be compliant, but it’s also your responsibility to ensure that any vendor you use to collect your consumer’s data is held to the strictest standards.
Weighing opportunities and risks
Because so many brands are behind in implementing precautions for their consumer’s data, the risk is great: GDPR is not yet in effect and the EU has been actively cracking down on data breaches.
In January, the Information Commissioner’s Office (ICO) issued a £400,000 fine to Carphone Warehouse3 after a hacker exposed customer data in 2015 due to an out-of-date WordPress installation which had not been updated since 2009. And this is pre-GDPR! Once legislation goes into effect, fines could equate to either 4% of a company’s global revenue or £18 million ($24 million) – whichever is greater.
But it’s not all bad news. As with any customer relationship – whether B2B or B2C – the relationship has to be built on trust. Once your customer feels safe with how his or her data is being collected and stored, there’s a huge opportunity for sell-through. If you’re a company that sells goods on Amazon or Google, data security and AI will only improve perception of smart home devices, leading to increased shopping and spending habits among consumers.
How is Chameleon helping brands get ready for GDPR?
In my role here at Chameleon, GDPR typically relates to email marketing, advertising and website security. We’re having conversations on exactly what data each client needs to keep, and purging unnecessary data. We’re reviewing opt-in forms, unsubscribe policies and preference centers. It’s always difficult to part with data that you’ve worked hard to collect (and have often spent a sizable amount of money for!), but in the end you’re left with a more manageable data set, and consumers that share their info through a double opt-in or via specific opt-in language are more likely to engage with a company’s brand because they feel safe and have a sense of trust knowing their data is being used appropriately.
From an advertising perspective, we’re revisiting cookie duration and how we’re using that information. Do we really need to target users for more than 30 days? Unlikely – as data often shows that purchase intent drops significantly after a set number of days. But we’ll be monitoring – and refining – to make sure we only cookie as long as necessary.
And finally, from a website perspective, it’s imperative that my clients stay up-to-date with security patches on their respective website platforms. Whether it’s a simple WordPress security patch, or something larger that affects Shopify or Demandware, we’re getting into a cadence of rolling out fixes immediately. The few hours it takes to upgrade a website’s security will well outweigh both financial risk and the trust we built with our clients and their consumers.
If you’re interested in learning how Chameleon can help your company prepare your marketing efforts in advance of GDPR, email me at [email protected].
1. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/
2. https://blog.mailchimp.com/why-single-opt-in-and-an-update-for-our-eu-customers/
3. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/01/carphone-warehouse-fined-400-000-after-serious-failures-placed-customer-and-employee-data-at-risk/