This is a 2-part blog, where part 1 explains (in plain English) what your firm needs to know about GDPR compliance, and part 2 explains what your firm needs to do about it if you’re marketing to the EU.*
*While this blog only speaks about GDPR compliance in regards to marketing to individuals in the EU, it’s important to note that GDPR will also affect the way you process customer data (contracts etc.).
Read Part 2 here: GDPR Compliance Part 2
Disclaimer: This blog aims to give you a general overview of the most important elements of GDPR in regard to marketing to individuals in the EU. It is not legal advice. If you would like legal information or advice on how GDPR applies to your specific circumstances then you should consult a legal professional.
What is GDPR and when will it come into force?
GDPR stands for General Data Protection Regulation, and is a new regulation that is being implemented by the EU Commission.
This new regulation, which comes into effect on May 25th 2018, will impact any firm offering a product or service to individuals inside of the EU.
So regardless of where your firm is located, if you process EU data (prospects, customers etc), this affects you too.
What is the purpose of GDPR?
It’s a regulation that aims to better protect the privacy of an individual’s ‘personal data’.
As of May 25th, GDPR will give EU consumers more control over their data. This will include the right to:
- limit the use of their data
- request their data in a readable format (data portability)
- have their data be forgotten
- seek damages if they suffer from the misuse of their data
- among other things
The necessity of these new regulations has come about as digital advances have made it easier to carry out illegal and immoral transactions with personal data.
So what does GDPR mean for my firm?
It’s a regulation that will force you to be more transparent about how you process any individual in the EU’s data.
The Regulation defines “processing” to cover any operation during the course of the information life cycle, from initial collection to final destruction, and includes cross-border data transfers (Source: Littler).
Can I treat Americans’ and Europeans’ data differently?
You can. At current, the U.S. government does not match the stringency of EU privacy laws.
But treating the data differently would mean purchasing specific storage systems for EU data, and implementing different policies for it in order to comply with both regulations.
In my opinion, it makes sense to follow EU compliance rules. That way you never risk being caught out. After all, you’ll be adhering to the most stringent of laws.
And if I don’t comply with GDPR?
I feel ya, GDPR seems like a bit of a pain in the neck.
But unless you want to be landed with a hefty fine (think 20 million euros, or 4% of your annual global turnover…whichever is greater), you unfortunately just have get on with it.
Okay, so where do I even begin?
There’s a couple of things you need to consider before you head down the road towards GDPR compliance.
1. Determine if you’re a data controller or processor.
While both data controllers and processors need to abide by GDPR, the responsibilities vary slightly according to the role you’re playing.
The ICO has definitions that explain the difference, but to put it simply, we understand them as follows:
- A controller is someone who owns the data and says how and why personal data is processed,
- And a processor acts on the controller’s behalf, but doesn’t own the data.
For example, in a situation where a firm collects data from lead generation activities and uses an email automation platform to communicate with those data subjects, the firm would be the controller and the email automation platform would be the processor.
*Note: It’s possible to be both a controller and a processor. For example, if you collect and use your own data (like in the situation above) but also handle data for a client, then you would be both a controller and a processor.
2. Then, audit your data. Consider things like:
- What data you collect and hold
- Where you store your data
- How your data is protected and managed
- Who has access to your data.
3. Once you’ve got a clear picture of what you’re working with, you need to research the GDPR’s lawful bases for processing personal data to determine which lawful basis you’ll be using to legally process your EU marketing data going forward.
There are 6 legal grounds to choose from. However, for B2B firms, there are 2 that are probably the most relevant for the purpose of marketing to people within the EU (for the full list see the GDPR report).
- The data subject has given consent or,
- It’s necessary for the purposes of the legitimate interest pursued by the controller or third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data).
Whichever you choose, you’ll need to document your decision, have a strong case to argue your choice if EU regulators come a’knocking, and ensure you take the necessary steps towards GDPR compliance where that lawful basis is concerned.
For example, should your firm choose to select consent as it’s lawful basis for processing EU marketing data, you’ll likely need to change how your website’s opt-in process works when prospects sign up to your newsletter, download content pieces etc—more on this in next week’s Part 2 blog.
How do I know if I’ve made the right choice?
As long as you’ve read and understood your options (lawful bases) and taken the correct course of action to ensure that you abide by GDPR where that lawful basis is concerned, your firm should be safe.
Considering the vastness of the requirements of the new regulations, I would recommend that if you are unsure about anything you should seek the advice of a professional who has the relevant expertise.
Firms embracing GDPR now will not only benefit from being ahead of the curve, but they will also have a competitive advantage when the new regulations come into effect.
After all, firms that demonstrate an understanding of, and respect for, personal data usage and processing will be preferential choices when it comes to service selection…especially when the risk of a business embroiling itself in inappropriate data processing is crippling.
We’re offering free one-to-one consultations for firms in the U.S. who want to know how they should be preparing for GDPR compliance.
This offer is only available in 2017. If you’d like to take up the opportunity, send an email to firstname.lastname@example.org or give us a call on (UK) +44 20 7099 5535 / (US) +1 877 465 7740 to schedule a convenient time.
For up-to-date marketing insights, sign up to the JTN Newsletter