If you’ve paid attention to the news in recent months, you know that the EU’s new consumer data privacy law, the General Data Protection Regulation (GDPR), goes into effect at the end of this week (May 25, 2018).
Under the regulation, all businesses that handle personal data about EU citizens are required to follow strict guidelines for the collection, use and protection of that data. Additionally, businesses must give consumers the option to request erasure and opt out of profiling.
The GDPR is a move in the right direction. Consumers are warier than ever before about how businesses collect and use their data, especially in the wake of massive data breaches from companies like Equifax. Given the potential consequences of personal data landing in the wrong hands, these data privacy concerns are justified. Businesses that collect and use consumer data should be held to high standards.
If you’re an email marketer, the GDPR will impact your day-to-day job — even if you’re not located in the EU. A recent study found that 85 percent of businesses understand the severity of the regulation and have a plan in place to ensure compliance, while 73 percent have started executing on that plan. Despite having plans in place, 83 percent say they do not feel confident they’ll meet the May 25 deadline. Luckily for them, they’ll have 30 days to complete that erasure request.
Since we’re days away from the GDPR going into effect and most businesses have a plan for compliance in place, I won’t use this column to give advice about how to comply. Instead, I’ve asked Kara Alvarez, my colleague and VP of product at Yes Lifecycle Marketing, to touch on some of the legislation’s vague language and answer questions that marketers may have forgotten to ask as the deadline looms.
(Consider this the usual disclaimer about consulting your own attorney about compliance issues, and a statement that this shouldn’t be considered legal advice.)
Five clarifying GDPR questions answered
Most marketing organizations that use EU consumer data have worked hard to update privacy notices and terms and conditions. However, the GDPR is not explicit about certain issues, such as the exact type of data protected or whether an EU citizen’s data is protected if he or she resides elsewhere. In the following Q&A, I’ll ask Kara for her interpretation of the requirements.
1. What’s the difference between personal data and PII? Which are protected under the GDPR?
KA: Personal data is any data relating to the identity of a person, including information such as age, gender, ZIP code or email address. PII (personally identifiable information) is a type of personal data that is more sensitive because it can be used to directly identify individuals. Examples of PII data include Social Security number, name or driver’s license number.
While some forms of personal data may feel less sensitive, the GDPR protects all personal data, not just PII. Consider ZIP code, for example. ZIP code alone cannot be used to pinpoint the identity of an individual in a large group. However, in combination with gender, age and birth month, someone could reasonably identify an individual.
The GDPR also affords extra protection for special categories of personal data, such as ethnicity or political affiliation, as they can easily be used to discriminate.
2. How do you balance compliance with the GDPR and personalization best practices?
KA: The GDPR will not significantly impact personalization best practices, but will require that marketers add extra consent and opt-out points. For example, the regulation gives consumers the option to object to profiling. Marketers communicating with those individuals will need to send non-personalized content. Additionally, the use of third-rail data points like race, religion and sexual preferences will become exceedingly rare, if not extinct.
Marketers can operate business as usual with consumers who have given consent for businesses to use their data and have not opted out of profiling. If you’ve done everything you can to ensure compliance and follow personalization best practices, your marketing efforts will not suffer.
3. What would you say to a US-based marketer who thinks they’re exempt from the GDPR?
KA: This individual should talk to his or her company’s lawyers. They likely wouldn’t agree. We’ve found that most US businesses have EU citizens in their databases and should take the necessary steps to comply. Also, it will save time and potential penalties in the future as some US states consider enacting similar legislation.
The GDPR also protects EU citizens residing outside of the EU. However, most marketers won’t even have the option to distinguish between a customer’s foreign and domestic behavior. Data points like changes to residency, dual nationality and international transactions are difficult to collect, and it’s hard to justify using them.
4. If I don’t maintain personal data in my communications platforms, will that reduce my risk of violating the GDPR?
KA: No. In fact, it may increase your risk of violation. The GDPR is designed to help marketers understand their data collection responsibilities, not prevent them from using marketing best practices. For example, it’s necessary to keep data in a secure environment to safeguard against data breaches and ask for consent to avoid accidental deployments to those who have opted out.
Don’t let fear of the GDPR penalties prevent you from using personal data to create meaningful, relevant communications. That’s not the intent of the regulation. Instead, consider compliance with the regulation as an opportunity to keep your customer data safe. Today’s consumers take data security seriously and will remain loyal to the companies that go above and beyond to protect their personal information.
5. What happens if my company is not compliant by May 25, 2018?
KA: While some rumors hint that it will be acceptable for businesses to show meaningful progress towards compliance, there is no language in the legislation stating that this will protect a business from prosecution. We strongly recommend that all businesses ensure compliance by May 25, 2018. Those that fail to comply will face fines of up to 4 percent of gross global revenues or 20 million euros, whichever is higher.
The GDPR is an important step toward increased data privacy, which is important because more businesses use personal consumer data for marketing and sales purposes than ever before. However, compliance with the legislation isn’t easy, and it’s important in these remaining days to go back through the process end to end to ensure you’re covered. Fines are quite hefty with GDPR, and if companies transgress (as they have with CASL), they’ll have to pay a much higher cost.