Sr. Inbound Marketing Solutions Manager
NOTE: The information below is meant as a guide to help you understand major changes as a result of the General Data Protection Regulation (GDPR) and is not a substitute for legal advice for you or your company to use to comply with GDPR. You should consult your legal representation for official legal advice and interpretation for what GDPR means for your organization.
The European Union (EU) is updating their privacy legislation to strengthen the rights of its citizens as it relates to their digital footprint and regulate how organizations collect, store, and process data of citizens in the EU. Until now, EU data privacy was governed by the 1995 Data Protection Directive (DPD). The General Data Protection Regulation (GDPR), set to begin today, builds on the fundamental principles set by the DPD, but will span across all EU countries. Penalties for non-compliance are significant, up to a maximum of €20 million (approx. 27 million U.S. dollars) or 4% of annual worldwide turnover.
This legislation applies not only to organizations in the EU or those who actively market to EU citizens, but also any organization that tracks or stores personal data of an EU citizen. A major update under this legislation is how “personal data” is defined. In addition to information like name, phone number, address, or email address, just about any identifiable data about an individual (e.g., IP address, religion, economic status, mobile device, etc.) can be considered personal data under GDPR.
Another major update for consideration is acquiring explicit consent. Any opt-in under GDPR must now be a specific action in the affirmative. The individual must be able to easily update their subscription preferences to determine when and how their personal data will be used or withdraw their consent altogether at any time they choose. Consequently, a pre-ticked opt-in box or passive inaction (i.e., not receiving an unsubscribe for a particular communication) is no longer adequate enough to prove consent. In addition to getting explicit consent, organizations also need to record and store how and when an individual provided consent.
As marketers, our goal is to build trust with our customers through relevant interactions. While the steps to ensure GDPR compliance may seem daunting at first, this new legislation gives us the opportunity and motivation to improve transparency with our customers. We can achieve this by setting clear expectations to help audiences understand how, when, and why we use their information. This will provide them the confidence to know we will protect their information and only use it in the manner we disclosed at the time of their opt-in.
Any company who markets to or collects and stores personal data of EU citizens should:
If you have EU contacts in your database and you don’t have a record of when and how they provided their consent to use their personal data to market to them, you should:
Work with your IT department to evaluate your cybersecurity protocol to prevent data breaches, and be sure to have a plan for handling data requests.
In all cases, you should consult with your company’s legal counsel and/or privacy professional for an interpretation and advice on how to comply with GDPR.
We Bring Creative and Effective Solutions.