Note: This is not legal advice. Onestop cannot provide you legal advice, so you'll need to consult your own legal counsel.
On May 25, 2018, one of the most sweeping and significant changes in global online privacy will take place when the European Union's General Data Protection Regulation (GDPR) is officially implemented. GDPR is a new privacy law that modernizes and updates data protection requirements. This new regulation will affect any organization that collects the personal data of people in the EU, thus enhancing consumer privacy on a sweeping scale worldwide.
What Will GDPR Do?
In essence, it will govern and regulate the processing of data subjects' personal data -- but how is "personal data" defined? As with any new regulation, it's necessary to clarify terminology in order to have a clear understanding of what's involved. In this case, personal data refers to any information that relates to an identifiable person.
The GDPR definition of "personal data" is a broad one and could cover names, photos, ID, email addresses, ID numbers and financial information, as well as social media posts, IP addresses and cookie data--or anything else that could be defined as an "identifier."
Once it is implemented, organizations can process personal data only if the person involved authorizes it -- and even then, there are time limits on how long the data can be retained.
Are You Affected by GDPR?
It will not only affect every state in the EU; it will affect businesses worldwide as well. These global applications are designed to include not only organizations operating within the EU, but also organizations outside of it that offer goods and services to EU residents. This means that even if you're not in the EU, you'll still be affected, because GDPR applies to any business or organization that handles EU-based data, regardless of the location of that organization.
With GDPR, EU residents will now have the right to restrict processing of their personal data. In other words, if you're using customer data for marketing purposes, or for any purposes other than filling orders, you'll be restricted from doing so unless you have that customer's permission. Likewise, if an EU-based customer asks you to delete data -- such as a history of purchases -- you'll need to be able to immediately comply with the request.
Even if you don't market or sell in multiple countries, it makes no difference. If you have even one purchaser who resides in the EU, your company will be affected by this. Because of the breadth of its parameters, GDPR is considered to be the world's most comprehensive data privacy law to date.
Key Components of GDPR
Right to Restrict Processing
First and foremost, under GDPR, EU residents have the right to restrict processing of their personal data. In addition, they have to give permission before a company is allowed to use this data in marketing or for any other purpose.
Right to Erasure
It gives individuals the right to erasure. This means that a customer can contact your business and request that all profile information, purchase history and other personal information be deleted from company files.
Data Breach Rectification
In case of any type of data breach, controllers must notify affected customers at the latest within 72 hours unless there's a justifiable reason for a delay.
Under GDPR, parental or guardian consent is required for access to personal online data relating to children 16 and under -- and individual EU states are allowed to lower this age limit to 13 if they wish.
GDPR and Online Marketing
Digital marketing and email marketing will be especially affected, as GDPR will impose limitations on processing personal data, which is typically done to create marketing profiles. In addition, it will implement stricter protections and safeguards over transfers of personal data inside and outside the EU, so this will have a major impact on non-EU companies wishing to market on a global scale. For companies to be compliant, current ecommerce platforms and ecommerce solutions will have to be updated to reflect these new protocols.
However, the good news is that GDPR can actually be leveraged as a beneficial, consumer-centric component by retailers and service providers. In essence, these new regulations can give companies an opportunity to improve customer relations by focusing on building trust through customer privacy. In turn, these heightened privacy protections can become a key part of a positive customer experience.
Becoming GDPR Compliant
It's of primary importance for businesses worldwide to be aware of this new legislation and to start preparing immediately for it. Here are some things you can do to become GDPR compliant.
- Hire a data protection officer to monitor data privacy.
- Update company privacy policies and change disclosure information.
- Implement regular data protection impact assessments.
- Create a standard procedure to obtain consent from customers to process their data.
- Review contracts to make sure personal data is protected.
- Implement GDPR training sessions for staff members.
- Create a standard procedure to deal with data subject access or deletion requests, as well as government access requests.
- Make sure that data transfers are compliant with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks for all customer-related data.
GDPR and Marketers: Taking Responsibility
The penalties for non-compliance with GDPR can cost a staggering 20 million euros (roughly $24.5 million US) or four percent of a company's annual revenue -- whichever amount is higher. Obviously, non-compliance is serious; and that's why marketers now have to be able to understand, trace and answer for the complete digital footprint of every piece of customer-related data. Each piece needs to be protected and monitored, and you'll need to identify exactly how it's going to be used.
Here are three things your company can do to handle data more responsibly:
- Perform regular data audits: These should be done across all platforms, including CRM and internal/external databases. Don't forget about third party platforms if they're involved as well
- Identify and document data storage locations: Be sure to document where each piece of data is, as well as whether or not consent for data usage has been granted by the individual involved.
On the plus side, many marketing experts feel that, because it restricts irresponsible mass-marketing tactics, GDPR might help marketers focus even more on connecting/engaging with their customers in a more personalized way.
It's important to remember that companies worldwide will be held responsible for implementing GDPR-readiness protocols, and data controllers and data processors in particular will need to educate themselves about the new regulations. That's why it's essential that GDPR compliance plans be finalized now, before the changes go into place.
In the end, GDPR's new restrictions (and its hefty fines) serve as a reminder that companies and marketers don't own an individual's data; and that if businesses need to use it, they'll essentially be compelled to borrow it for just a limited amount of time -- and only with the person's explicit permission.
Onestop Internet's performance marketing strategy for partners includes analysis, identification, and targeting of online customer segments. Our ecommerce experts can tailor your offering to the shoppers who are most likely to engage immediately with your brand, and we use cutting edge consumer research to build descriptive audience profiles that inform creative design, merchandising and promotions.