Is May 25, 2018 a big day in your life?
It certainly will be if you are an email marketer who does business in the European Union. And that’s even if you are based in the United States. It’s the date that the EU’s General Data Protection Regulation (GDPR) goes into effect.
It’s a very big deal.
GDPR is the most significant change in data privacy regulation in the EU in 20 years, and it has global implications.
“This regulation will apply to all companies selling to and storing personal information about citizens in Europe, including companies on other continents,” writes Jennifer Lund at SuperOffice.
“It provides citizens of the EU and European Economic Area with greater control over their personal data and assurances that their information is being securely protected across Europe. If your business offers goods and/or services to citizens in the EU, then it’s subject to GDPR.”
“Many people might think that the GDPR is just an IT issue, but that is the furthest from the truth,” Lund adds. “It has broad-sweeping implications for the whole company, including the way companies handle marketing and sales activities.”
Todd Ruback at eMarketer says implementation of GDPR is part of strategic effort to spark EU tech growth.
“This is one step in the larger pan-European strategy called the Digital Single Market [DSM],” he writes. “They’re trying to create conditions within the EU to spawn the next Facebook or Google—essentially an EU tech company.”
The new regulation’s impact will be sweeping
“The EU GDPR will impact the lives of more than 500 million people in 28 countries and will attempt to provide consumers the improved privacy and protection they’ve been demanding without stifling a business’ ability to innovate and market itself,” writes Kevin Lynch at Instapage. He adds that the coming regulation will have “a profound effect on business, regardless of the size of an organization. Facebook, Alphabet, Apple, and possibly you, will have to adhere to the wishes of the consumer and guarantee that they have ultimate control over how they want their data used.”
Penalties for not complying with the new rules will be stiff. According to Lynch, authorities “will have the power to fine anyone in violation of the GDPR. Fines can go up to four percent of annual global sales or €20 million (US$21.1M) — whichever is higher.”
It’s worth noting that Britain has indicated that GDPR will be enforced in that country, despite its pending exit from the EU.
Preparing for GDPR
“The GDPR guidelines will mean you will need to review both how you capture and how you process user data,” writes Alan Ilhan at Email on Acid, who shares eight steps he’s tailored specifically for non-UK marketers to help ensure compliance on Day One.
–Awareness – Make sure decision makers and key people in your organization are aware that the law is changing to the GDPR.
–Information you hold – You should document what personal data you hold, where it came from and who you share it with.
–Communicating privacy information – You should review your current privacy notices and put a plan in place for making any necessary changes.
–Individuals’ rights – You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically.
–Subject access requests – You should update your procedures and plan how you will handle requests within the new timescales.
–Lawful basis for processing personal data – You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice.
–Consent – You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
–Data breaches – You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
It may be natural for marketers to view GDPR as burdensome; however, Lund sees an upside.
“While GDPR does create challenges and pain for us as businesses, it also creates opportunity,” she writes. “Companies who show they value an individual’s privacy (beyond mere legal compliance), who are transparent about how the data is used, who design and implement new and improved ways of managing customer data throughout its life cycle, build deeper trust and retain more loyal customers.”
In addition to the resources linked to above, these resources can help marketers understand and prepare for GDPR:
GDPR Portal – The “official” GDPR website
GDPR:Report – “How marketers can take action on GDPR today”
The Direct Marketing Association – “What U.S. marketers must know and must do about GDPR”
Econsultancy – “How should non-EU businesses prepare for the GDPR?”