Although data privacy is already an important issue around the world, the arrival of the General Data Protection Regulation (GDPR) in May 2018 should have your attention. That's because the penalties and steps required to comply with the GDPR are significant. In addition, organizations based outside the European Union may be subject to the GDPR.
This section explains what the GDPR is and why it matters to organizations—including marketers, digital business owners, and their technical teams and digital agencies—in any country. It's not intended as legal advice, but highlights key steps you can take to reduce your risk of breaching the GDPR.
The GDPR is designed to protect individuals' rights in relation to their personal data. Organizations subject to the GDPR are responsible for protecting information that relates to an “identified or identifiable” person, which you might already know as personally identifiable information (PII).
The GDPR will apply to your organization if it processes data about people in the European Union (EU) in order to offer them goods or services. It will also apply to the data you process to monitor the behavior of people in the EU by, for example, tracking their Internet activity or using data to analyze or predict their personal preferences.
You could be fined up to EUR20 million, or 4 percent of your company's worldwide annual turnover
The potential penalties for breaching the GDPR are substantial. You could be fined up to EUR20 million, or 4 percent of your company's worldwide annual turnover.
For many organizations, the GDPR will have significant ramifications. You must not only protect the names and addresses you collect, but also data that someone might combine with other information to identify a person. That could include IP addresses, according to the GDPR. The law considers whether it's reasonably likely someone could use the data to identify a person, given the cost and time required to do so.
The full text of the GDPR has many conditions and exceptions. However, some of your overarching responsibilities will include:
You will need an individual's consent to process their personal data, and you should use “clear and plain language” when asking for their permission. You should also explain who is collecting their personal data and for what purpose. If you're processing data about children, then you'll need to make sure you do this in language they can understand. Under the GDPR, you won't be able to pre-tick a consent box for visitors to your website—they'll have to actively consent to you processing their personal information.
You'll also have to provide a copy of the personal data you hold about someone if they ask for it. They will be able to ask who you disclosed their personal data to, and how long you will store it. If you didn't collect the personal data directly from them, they will be able to ask where you obtained it from.
If the security protecting the personal data under your control is breached, you will have to notify authorities within 72 hours of becoming aware of the breach. In some cases, you'll also need to notify the person whose data was breached.
However, it's not enough to have these systems in place. You'll also need to be able to demonstrate that you are complying with the GDPR. For example, you'll need to be able to show that someone has consented to you processing their personal data. You will need to keep records that detail the reason for collecting and processing data under your control, as well as descriptions of each personal data category and the categories of recipients you will disclose the data to. Where possible, you should also keep records that outline when you will erase the data and what security measures you're using to protect it.
Note that organizations with fewer than 250 employees may be exempt from some record-keeping requirements. But this depends on certain conditions. For example, if they are processing personal data frequently, risking someone's rights by processing their data, or processing “special categories” of personal data—such as data about a person's race, ethnic origin, or sexual orientation—they must still keep records 1 .
A new customer completes a registration form on your website, and an advertising retargeting system collects their email address without their permission.
Your developer updates a form on your website, which results in users' email addresses becoming part of a URL when they unsubscribe from your newsletter. Your analytics system stores the email addresses while tracking URLs on your site.
A digital agency working on your behalf places a marketing tag on your site. However, when this first tag renders, it also triggers a second tag or even multiple tags without your approval. The additional tags may collect data about your visitors without your knowledge. This is a common issue for advertising related tags—an approach known as piggyback tagging.
These responsibilities could require extensive changes to the way you go about customer analytics. That could include changes to how you collect personal data, the systems you use to store it, and what you tell people about the personal data you collect.
You could try to avoid these responsibilities by not collecting personal data. However, that's going to disadvantage your business given the growing number of companies using customer data to compete. And if you're using a lot of analytics tools, you could be collecting personal data without knowing it.
A safer approach is to closely scrutinize the data you collect, or an agency collects on your behalf, and address any breaches quickly.
For example, you should check that forms on your website aren't collecting personal data if they're not meant to. That might mean ensuring that some forms collect an alphanumeric user ID, rather than a user's name.
You should also aim to monitor any changes developers make to your website before they go live. That's because even the smallest change, such as an incorrectly used tag, could result in a breach of the GDPR.
You'll also need to monitor how agencies are collecting personal data on your behalf. Even if a third party breaches the GDPR, you could still be liable if the breach involves personal data that is being processed for your business. For example, you should monitor what systems your suppliers are using to collect data for you, and where they are sending it.
To reduce the risk of breaching the GDPR, you should also be able to report on all your data collection activities.
Gaining a high degree of visibility and control over the systems and people involved in data collection isn't always easy. One way to achieve this is to create a data governance plan that sets out company-wide rules.
Consider appointing a Chief Risk Officer (CRO) to drive the creation and execution of the plan. They can help ensure relevant people contribute to the plan, and hold employees and business partners accountable for adhering to it. The CRO can also ensure that senior managers understand the risks of non-compliance.
A plan like this doesn't just help reduce legal risks, it improves your control over the data you're using to make business decisions. You'll benefit from more accurate data and you'll be able to foster trust with people who interact with you online.
Once you have a data governance plan in place, you'll need a way to put it into action. That's the focus of our next chapter.