MarTech Today’s Guide to GDPR — The General Data Protection Regulation

A European Union (EU) regulation that governs consumers’ private information gains regulatory power in May 2018, and it could have a big effect on how businesses all over the globe handle privacy.

The General Data Protection Regulation (GDPR) puts regulatory teeth into longstanding governmental guidance about how EU member states handle personally identifiable information. This level of regulatory overview of personal data is unprecedented and will require companies to ensure the highest levels of of privacy protection or suffer dire financial consequences.

We’ve put together this guide for marketers to understand not just what is the GDPR, but also how it is being implemented and enforced, whether or not your company will be impacted, and how to prepare to for compliance. We’ll continue to keep this guide updated with new information as the compliance deadline approaches and issues facing non-EU entities arise. Follow all of our GDPR-related news coverage here.

How did these regulations come about, and why should US companies care?

The GDPR is the latest in a series of EU parliamentary measures designed to put the highest levels of protection around personal data. From its charter: “The protection of natural persons in relation to the processing of personal data is a fundamental right.”

Whereas American laws and regulations tend to favor business over the consumer, the EU has always promoted a “consumer-first” point of view, starting with the Organization for Economic Co-operation and Development (OECD) Guidelines (adopted in September 1980), which in turn were based on the Protection of Privacy and Transborder Flows of Personal Data, then Directive 95/46/EC — also known as Data Protection Directive. That guidance was agreed on by the EU member states and the US through a Safe Harbor agreement, and then tested through two major legal challenges resulting in the need for the GDPR.

If this sounds like a mouthful, it’s because it is a long-winded way of saying that the EU is aggressive about protecting consumer privacy, and it has been for a long time. Now, it hopes to lead the way globally with a broad, comprehensive law backed by unprecedentedly steep fines of up to 4 percent of a company’s total global revenue — fines that could easily cripple a business that breaches its policies.

So how does this affect American businesses?

Recognizing that data can travel well beyond the borders of the EU, the GDPR provides protection to EU citizens no matter where their data travels. This means that any company, anywhere, that has a database that includes EU citizens is bound to its rules. Businesses of all sizes are affected — from micro to multinational. No one is exempt.

In order to comply, American companies can either block EU users altogether (an impossible choice for a multinational brand) or have processes in place to ensure compliance.

What does the GDPR entail?

Basically, the GDPR protects user data in just about every conceivable way. The GDPR operates with an understanding that data collection and processing provides the basic engine that most businesses run on, but it unapologetically strives to protect that data every step of the way, while giving the consumer ultimate control over what happens to it.

In order to be GDPR-compliant, a company needs to not only handle consumer data carefully, but it must provide consumers with myriad ways to control, monitor, check and, if desired, delete any information pertaining to them that they want.

Companies that wish to stay in compliance must implement processes (and in many cases, add personnel) to ensure that when data is handled, it remains protected. To comply with this requirement, the GDPR promotes pseudonymization over anonymization.

Anonymization is the encryption or removal of identifiable information so that it can never be tied back to a user. Pseudonymization is somewhere between identified and anonymous. With pseudonymization, the data components are anonymized and separated but can be put back together. For example, a system might assign a user one identifier for location and another for browser that can only be tied back to the user if it is put together with their date of birth, which is kept separately. This is key to compliance, since the GDPR requires companies to be able to give users an accurate accounting of their data.

According to the GDPR, companies must ensure that customers have control over their data by including safeguards to protect their rights. At its core, the protections have to do with processes and communication that are clear and concise and are done with the explicit and affirmative consent of the data subjects.

How do the regulations seek to protect consumers?

Broad jurisdiction. The GDPR applies to all companies that process personal data of EU citizens, regardless of where the EU citizen resides.

Strong penalties. Breaches can cost companies up 20 million Euros or up to 4 percent of their annual global turnover. Some infractions are less expensive but still represent a significant penalty.

Simplified and strengthened consent from data subjects. Consent must be given in an easy-to-understand accessible form, with a clear written purpose for the user to sign off on, and there must be an easy way for the user to reverse consent.

Mandatory breach notification. Any data breach that is likely to “result in a risk for the rights and freedoms of individuals” must be reported within 72 hours of its discovery. Data processors will also be required to notify their customers “without undue delay” after first becoming aware of a data breach.

A reiteration of important consumer rights. This includes the data subject’s right to get copies of their data and information on how it’s being used and the right to be forgotten, also known as Data Erasure.

Better systems. In order to comply with the core foundation of “privacy by design,” the GDPR requires processes to be built with data protection in mind, rather than treated as an afterthought.

Stay up to date on GDPR-related and other marketing technology news. Sign up for our newsletter below.

Introducing the data protection officer.

GDPR requires companies that process large amounts of data to hire dedicated personnel to manage all aspects of GDPR compliance. The Data Protection Officer (DPO) is expected to be in addition to any current IT or data security personnel working for the company and is the point person in terms of compliance and liability for GDPR.

Will this really affect American companies? How will it be enforced?

Whereas the GDPR requires member states to establish supervisory authorities with the power to monitor compliance, the situation is murkier for non-EU countries.

The truth is that no one really knows how the GDPR will be enforced on American soil and we likely won’t know until we see the first test case. Of course, for multinational companies with divisions in Europe, the supervisory authorities can hold the EU representatives accountable. And the US Commerce Department-created EU-US Privacy Shield framework was implemented specifically to comply with transatlantic data protection requirements. But until a US company is found non-compliant, we won’t know exactly how it will play out.

Are American companies prepared?

According to a PricewaterhouseCoopers survey earlier this year, more than 90 percent of the American C-level executives surveyed considered GDPR compliance “a top priority on their data-privacy and security agenda for 2017.”

It is unclear how prepared companies really are. In fact, there is some debate whether the GDPR will cause great upheaval in American businesses or whether it will amount to nothing more than an ominous bark without any bite.

But there is some evidence that in late 2017, companies are starting to take it seriously. A survey by security compliance firm TrustArc and the International Association of Privacy Professionals (IAPP) found that 84 percent of its US respondents expected to be prepared by May 2.

It’s likely that companies will have to adapt standard marketing processes such as data mining, location targeting and remarketing and think of new ways to handle data. But businesses that already take the threats associated with user privacy seriously and have safeguards in place will be in better shape when the regulation kicks in, regardless of how it’s enforced.

It’s also clear that we will see an increasing number of new, compliance-oriented products and services being developed for the foreseeable future.

What can a company do to prepare? Here are some basic points to consider when developing a plan:

  • Integrate your IT and marketing departments. Soon. Between the threat of cybercrime and the necessity for specific monitoring and implementation strategies, your IT department will be your new best friend. Those who use martech technology will now have increased reason to invest in and use secure and customized IT solutions to stay on the right side of the regulations — and the right side of the consumers’ trust.
  • Hire a Data Protection Office (DPO). The GDPR assigns liability to the data processors and controllers and does not require smaller operations to hire a data officer. But it’s an investment worth giving some serious consideration. The potential damage to your company’s bottom line is not worth the risk. If nothing else, the GDPR has a singular message: Consumer information deserves to remain private. So anything you can do to stay in compliance will help you overall.
  • Complete a thorough audit of your current data security system. The best way to ensure compliance is to have an accurate assessment of your current data processes. This way you can identify high-risk areas and fix any potential problem areas before enforcement begins.
  • Educate your staff. Although the bulk of the responsibility falls to your security staff, anyone who handles information needs to be educated about GDPR. This includes staff that interacts with new customers or users, those that maintain CRM systems, and even data entry personnel.
  • Create tools that will ensure privacy. Every day there are more and more companies popping up with pseudonymization solutions and other ways to keep compliant. Work with your DPO and your IT department to find the solution that works best for you.
  • Work with third-party providers who are GDPR-compliant. This includes your email service provider, your CRM service and your marketing and PR agencies. You can be held responsible for breaches made by processors you work with. It’s important to ensure that all aspects of your data processing are in compliance.