New legislation aimed at changing European data privacy laws is set to significantly disrupt the digital marketing industry. With one year to go, what should businesses be doing to ensure they’re compliant with the new Regulation?
Approximately one year from now the General Data Protection Regulation (GDPR), a radical new piece of legislation set to revolutionize how each of the 500m consumers in the EU manage all forms of their data, will be enacted across the European Union.
Even though this new legislation is an EU directive, businesses in the US and Canada should still take note as this new law will apply to you.
The GDPR comes into effect on May 25, 2018, and many are waiting for the European Commission to issue practical advice on achieving compliance. In the meantime there are some things we definitively know, and some steps that businesses can take to start the road to compliance.
If you have customers in the EU, it doesn’t matter if you’re not based there – The GDPR applies to consumers in the EU, so it’s irrelevant if your business does not process data there or has no legal entity. If you offer goods and services to any EU citizen, you have to comply.
Be aware – When considering the GDPR, there is one important thing to know. A January survey of 2,000 IT professionals in the UK found 53% of them had no awareness of the GDPR. In some ways this isn’t entirely their fault; even those who have been involved in the legislation process are still waiting for clarification on many of the critical elements. There are plenty of resources but beware any company promoting their legal services, claiming to have all the answers. They don’t, not currently. (See below for more information).
Appoint a Data Protection Officer (DPO) – From the beginning, companies should appoint a single point of contact whose job it is to be the GDPR oracle. At first this seemed to be a requirement for larger companies, but that seems to have expanded to cover any company. However larger organizations will be more open to scrutiny and likely to be found responsible of a breach. The DPO must be impartial and work independently from your business, leading this role to be outsourced by many companies.
Seek advice from your local Data Protection Agency (DPA) – Each member state has a local DPA. These DPAs are responsible for ensuring they’re offering guidance and help to companies on their road to compliance. GDPR advises that, because of the universal nature of the Regulation's implementation across the EU, being compliant with one should cover all bases across Europe. Full list of local DPAs is here.
Understand what the GDPR covers – The GDPR isn’t limited to using personal data in digital advertising, but as you’re reading this we’ll assume that’s what you’re most interested in. Therefore it’s essential you grasp the scope of the GDPR. It applies to all personal data, and your interpretation of what constitutes personal data may not be the same as the EU’s. Cookies and IPs could very easily sit alongside your race or sexuality as personally identifiable information.
Learn what pseudonymised data is – The GDPR is designed to encourage businesses to rethink how consumers’ personal data is used, stored, moved and deleted. One concept introduced to minimize risk is ‘pseudonymisation,’ scrambling or separating out of data so if someone were to look the data they wouldn’t be able to attach a person it. For example Awin hashes cross device data to better understand consumer journeys across multiple devices, but we can’t determine who those consumers are in the journey. The concept of ‘privacy by design’ is important here.
There are exceptions – Legitimate interests can be cited as a legal basis to use and store personal data, but it’s likely the scope of interest will be narrow. The GDPR spells these out. One of the most valued pieces of practical advice marketers are waiting for is what constitutes consent to use personal data. This guidance should be released this June.
Increased obligations – The GDPR applies to both data controllers and processors. Essentially companies that act on behalf of a controller (for example a cloud-based storage business) will also need to get their houses in order. This will extend the scope of the Regulation to a large number of additional companies. Under the GDPR they will be designated as one or the other.
Don’t lose sight of the positives – Consumers have long been skeptical of how their personal data is used, both on paper and online. By raising awareness and putting control in the hands of consumers, the industry is given a chance to rethink how permissions are sought and how data can be potentially traded in the future. This offers forward thinking and progressive companies the chance to potentially shape a whole new way of engaging with future customers.
You can’t just ignore it – Whether you think it’s the best idea ever to come out of the EU or the scariest threat to our digital economies, the GDPR is unavoidable. To further emphasize that point, breaches of the GDPR could land organizations with fines of up to approximately $23m or 4% of annual turnover (whichever is greater). This is a significant message to industry.
Before you panic, there is still plenty of time to familiarize yourself with the workings of the GDPR. The UK’s Information Commissioner’s Office has issued some particularly good advice for those starting out.
Alternatively if you want more background, this Wikipedia entry explains more about the working party engaged in rolling out the GDPR.