By Kate Salkin, Senior Interactive Designer
April 09, 2018
What is the General Data Privacy Regulation?
On May 25, 2018, an unprecedented regulation will go into effect to protect the personal data collected from individuals in the 28 countries that make up the European Union (EU).
While being an ocean away might lead you to believe that the impact of this one parliamentary measure won’t put a dent in your marketing plan, the specifics of this act suggest it will unequivocally change the way brands speak to consumers across the globe. In fact, according to a survey performed by PricewaterhouseCoopers, 90 percent of American C-level executives surveyed consider adjusting marketing and business practices to accommodate GDPR compliance a top priority on their agenda.
This regulation, called the General Data Privacy Regulation (GDPR), works to protect the privacy and data of its citizens by requiring far more consent, transparency and exchange of knowledge between the people who control data and the people whose data is collected. While this specifically protects the citizens of the EU, anyone who collects the data of EU citizens must follow suit as well, or meet a swift penalty.
Specifically, this act requires that when data is collected, people 1) must be told exactly what data is being collected, 2) must be told exactly how their data is being used, 3) must specifically and actively consent to the collection of this data 4) must be guaranteed protection of their data, and 5) must be given a clear and evident opportunity to request deletion of their data at any time. Organizations are also only allowed to collect data that’s immediately relevant. Therefore, data such as an email address can’t be collected by organizations for potential future use. There has to be a clear and evident reason why that email address is needed as it is collected. Data is defined as anything from basic identify information to IP address to current health status to sexual orientation.
As a marketing professional, why should I care?
No matter where you are in the world, there are major reasons why marketing professionals should take note of these changes. Major organizations, like Facebook, HubSpot and MailChimp, have already taken steps to comply to the GDPR. But marketers and the third-party platforms they use are also held accountable when data collection is not compliant. In other words, a third-party processor not in compliance means your organization is not in compliance; and the fines for noncompliance are steep. Fines for a single violation are approximately $25 million or four percent of global revenue, whichever is greater. Thus far, the regulatory powers that be have proven to make an example of any organization, big or small. In fact, in 2016 a company called Flybe sent an eblast to a mailing list (including citizens of the EU who previously unsubscribed from the list) asking if their current information was still correct. This use of an email address without consent violated a less strict EU pre-GDPR act and, as a result, Flybe was fined 70,000€.
Who in marketing is affected most by the GDPR? The general opinion is that the GDPR will most impact how email marketing managers (specifically B2B), public relations executives and UX/UI designers operate. For email marketers, practices like buying email lists and cold emailing will now be risky endeavors. Unless you have the utmost confidence that every single email address on your list is outside of the EU, you are risking GDPR violation.
Additionally, PR executives and third-party PR platforms like PRWeb will have to be more cautious about who is receiving press releases or being contacted about new product releases. After all, journalists in the EU can no longer be contacted without previous consent regarding the use of their contact information for that specific purpose.
Lastly, UX/UI designers will now have to give more thought to how they design digital experiences that request a user’s information. For example, in the image below there are two forms to enter to win a faux Stephan & Brady prize pack – one form is GDPR compliant, one is not. While both these forms are only asking for the top-line information that is required for an individual to be contacted if they win, the form on the right does not provide an opportunity for a potential EU user to actively consent to how their data might be used or how they might be marketed to via email – which presents a clear case of a GDPR violation.
Am I GDPR compliant?
As a marketing professional there is a lot to consider in regard to how GDPR compliance impacts the lines of communication between your brand and their consumers. In fact, according to data security and risk research firm CSO, two-thirds of major U.S. companies believe that the GDPR will require them to rethink their strategy in acquiring data and communicating to consumers. As regulations like this continue to take effect, it will get increasingly harder to attract customers attention. That being said, this opens up the opportunity for a long overdue discussion about how we are reaching our audiences and opens up the opportunity for fresh, innovative thinking. While the GDPR undoubtedly presents some gray areas to organizations operating outside of the EU, HubSpot published a fantastic compliance guide to get us started on operating a GDPR-compliant organization. As for the conversation of data regulation for citizens outside of the EU, with Russian bots, Facebook and Cambridge Analytica all making recent headlines, there is every indication that this conversation is just getting started. The wisest thing for U.S.-based marketing firms to do is start having discussions about data use and compliance today.
Have questions about GDPR and its impact on your organization? Comment below. We’d be happy to help.