By now, it’s hard to escape news about the General Data Protection Regulation (GDPR), which goes into effect in the European Union on May 25, 2018. The intent of the regulation is to give individuals more control over their personal data by making it clearer when and where data is collected, used and removed.
As with any new regulation, GDPR contains many important nuances and implications, even for U.S.-based businesses. Make sure your company’s C-suite and legal team are on the same page about what it means for your business so you can form a plan of action before it takes effect.
Here’s a basic rundown of the new regulations:
Not all opt-ins are created equal, however. There are instances when opting in is incentivized, giving those who choose to opt in receive exclusive access to offers or other preferential treatment. Incentivizing an opt-in can take away the condition of valid consent, as the person may feel like they have no choice but to go along or face unfair treatment. It’s important that you and your legal team are in agreement on what constitutes a valid opt-in under the GDPR.
- Transparent Marketing. Good marketers already know that relevant information is the key to boosting reader engagement. Irrelevant offers annoy people at best; at worst, they find you spammy and untrustworthy, and report you as such.
Under the GDPR, targeting buyers in the EU with relevant content is the law for B2B marketers. There are variations on which content is considered “relevant,” so make sure you make a clear set of parameters with your legal team. For example, materials must be relevant to the recipient's job role or you cannot send it.
- Third Party Compliance. Many businesses use multiple sales and marketing platforms (think HubSpot and Salesforce) and outsource part of their marketing tasks to agencies and other third parties. The GDPR places the responsibility of compliance on the original marketer or business to ensure that all suppliers are in compliance with the regulations, and suppliers will not be held responsible for noncompliance.
- Data Breach. The General Data Protection Regulation lists specific requirements for keeping consumer data secure and protected, and outlines specific steps that must be taken in the event of a breach or leak.
- Forget Me. All individuals in the EU now have the right to be forgotten completely upon request, or be provided with a reasonable explanation why personal information cannot be removed (i.e., outstanding debts). This includes main copies, backups, individual devices and other data storage sources.
Failure to comply could result in serious consequences, including fines of up to 4 percent of your company's global revenues. It’s likely that as companies make the transition, failures will result in less dire consequences, like written reprimands and demands for compliance as long as companies are showing a good-faith effort to make changes. However, there will come a point where the line will be drawn.
How the GDPR Affects U.S.-Based Businesses
The regulations don't directly apply to U.S.-based businesses and customers, but if you operate in the EU or offer products and services that are available to EU customers, then the law applies to you.
Be sure to consult your legal team for specific advice, but here are a few ways that the GDPR may affect your company and what you can do about it:
- You could be subject to the new rules if you use the personal data of individuals in the EU — including common data collected from browsing such as location data and online identifiers like IP addresses.
- It's nearly impossible to control who browses your website and therefore has their data collected, so make sure your marketing clearly targets U.S. companies or consumers.
- Clear cases where American companies would be subjected to the law include web content using the language of an EU country with references to that country's buyers, or any domain with a suffix targeting a specific country (or .eu).
- Other possibilities include American-based hospitality and travel companies targeting European travelers, e-commerce and software companies with an international buyer base, and any company that has identified a European market to target.
- Keep in mind that an actual transaction need not take place for the rules to apply; simply collecting personal data of persons in the EU for marketing purposes can put you on the radar.
Complying with the General Data Protection Regulation
Complete compliance with the GDPR can prove to be a significant task for any company, but many of the regulations in place will push businesses to be safer, more secure, and provide more privacy — all things that consumers want.
For American companies seeking compliance or considering expanding operations to the EU or European consumers, it's not enough to direct your legal or IT teams to do the work. For large companies, an on-staff data compliance officer is a must, and small businesses should consider contracting with specialists who can bring current systems into compliance and provide routine inspections for ongoing matters.