What Your Brand Should Know About GDPR
The General Data Protection Regulation, or GDPR, is EU legislation that becomes effective on May 25, 2018. Its goal is to protect the sensitive information of EU data subjects (which essentially means anyone residing within EU borders). It does this in several ways, including by giving the consumer control over his or her data, providing transparency about what information is collected and how it is used, regulating certain data-related processes for companies and requiring strict reporting requirements for data breaches.
The GDPR applies to EU companies, but also to companies located outside of the EU who do business with EU residents. It protects “personal data” which is broadly defined. The definition includes a person’s name, address, ID numbers, web data (i.e., IP address, cookies, RFID tags), health, genetic or biometric data, racial or ethnic data, banking data and also extends to physical, physiological, genetic, mental, economic, cultural or social identity factors specific to the individual. Note that personal data includes B2B contacts, so any business information that makes a person identifiable is usually included.
There are a variety of ways that the GDPR will impact most marketing operations. Here are some examples:
- This explicit consent cannot be bundled with a “bribe.” The ability to opt in must be separate from a request for your information or form. This means the check-box cannot be required for the download or other info.
- Cookies and behavioral data tracking also requires consent and this consent cannot be obtained by a simple banner on your website. Active consent is also required. One way to obtain this would be to enable an unticked box that can be checked by users of your website.
- The data that you do collect cannot be stored indefinitely. The length depends on the purpose of the data. You can only store it for as long as reasonably necessary.
- Be prepared to be able to respond to requests from individuals to correct, update or delete their information. If you use vendors, make sure that they will work with you on this as needed.
- Given all the complexity with these and other legal requirements, make sure you work side-by-side with your legal counsel to devise the right protocols for your company.
When it comes to GDPR, make sure you work side-by-side with your legal counsel to devise the right protocols for your company.
What are the core principles and requirements under the GDPR?
The GDPR is voluminous, but we can summarize its core principles and requirements:
- Lawfulness, fairness and transparency — personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose Limitation — personal data must be collected for specified, explicit and legitimate purposes.
- Data Minimisation — personal data must be relevant and limited to what is necessary in relation to the purpose for which it is collected.
- Accuracy — personal data must be accurate and, where relevant, kept up-to-date (otherwise correct or delete).
- Privacy by Design and Default — data protection must be incorporated into products and services that involve data.
- Data Security — appropriate technical and organizational measures must be implemented to ensure an appropriate level of data security.
- Retention — personal data should be kept in identifiable format for no longer than needed.
- Integrity and confidentiality — personal data must be kept secure.
- Data breach reporting — in the event of a breach of personal data, the relevant supervisory authority must be notified within 72 hours and, if there is a likely high risk to the rights and freedoms of natural persons, the affected data subjects must also be notified without undue delay.
What should marketing and customer support teams do to be GDPR compliant?
There are many things to do to prepare for GDPR compliance and they can be quite complicated. For this reason, don’t try to tackle it alone — form a GDPR working group with colleagues from your legal, security, development and any other relevant teams. Then, there is a series of reviews that should be done, such as documenting what personal data you store (either directly or through a vendor), where it is stored and what consents you have to store or use it. Get with your legal team to ensure they’ve reviewed and updated your privacy policies and consent procedures. Make sure that you inform them of all your marketing activities that involve the collection of any personal data, whether it is contact data, behavioral tracking data or otherwise, so you can devise pragmatic approaches to obtaining informed and active consent going forward.
With respect to the data that you have and want to continue to use for marketing or customer service reasons, assess whether you have the proper consents to continue to use it after the GDPR goes into effect. If there are uncertainties, assess your options for obtaining the requisite consents. You should also make sure you will be ready to comply with requests you may receive from data subjects, such as their rights to access their data (and obtain it in an easy-to-use format), update their data and their right to have their data be deleted. You should be ready to be able to respond to these requests in 30 days or less and cannot charge for processing the requests.
If you use third-party vendors for any aspect of your marketing procedures that involve data, make sure that you do diligence on those vendors to ensure they are compliant as well as they could subject you to liability if they are not. You should also have appropriate data processing agreements with them.
Additional GDPR Resources
Note: Please note that this information is intended to be helpful and to provide general guidance, but should not be construed as legal advice. GDPR and other applicable data privacy requirements may be voluminous and complex. You should consult with your own attorneys about the particular impact and action items for your company.