On the 25th May 2018, we'll see one of the most important changes to data privacy regulation come into force - the European Union General Data Protection Regulation (GDPR). In our own words from our research, we've attempted to simplify it for the greater good and we've also thrown in a few useful links at the bottom of this article for you too that we found along the way.
What is the General Data Protection Regulation (GDPR)?
The GDPR is an EU regulation that is being introduced as a way to protect its citizens from privacy and data breaches. The first directive regarding data privacy was first introduced way back in 1995 so it's been a while! A few things still apply from this directive, however, with today's world being ever more driven by data, it's imperative that citizens of the EU are protected as much as possible.
Who does it apply to?
As we're talking about the business side of things here, the GDPR applies to all companies that process, manage and use personal data within the EU. That doesn't mean that these companies need to be located in the EU, it's down to where their activities lie i.e. selling goods or services into the EU. This includes both controllers and processors of personal data.
What's the punishment?
This is where things get a little interesting and probably one of the most talked about points - and rightly so! When we meet with other agencies and professionals one of the first thing they mention is the punishment. Well, here it is...
So this means that if you have locations across the world but the one in the EU breaches the GDPR, they can fine you up to 4% of your entire turnover, not just the turnover generated in the European Union. Another really important change is this - both controllers and processors of data get fined.
Fines can be issued for things such as not having records in order, or for not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
So how can I avoid fines?
We're not offering any legal advice or even attempting to be a voice of the industry this is just our interpretation (disclaimer again!). Here's how I think about it...
Put yourself in the shiny shoes of a typical EU citizen. How would you like your data to be treated? Would you be pissed if people were making money out of your data and passing it on to other companies so that they could send you marketing materials that you're not even interested in?! *sigh*
"But you're a marketing agency" you cry! Yes, but our sole aim across everything we do is to get our clients' brand, products and services in front of the right people at the right time. Buying data and marketing to people who haven't got a clue about what's going on just wastes money.
Back in the shiny shoes...
Would you feel comfortable getting information and marketing material for products you've specifically asked to receive? Course you would! Because you've asked for it.
Imagine you've visited an automotive dealership and you've asked about a certain new model of car. They ask if you'd like to receive a nice, glossy brochure in the post, to which you say yes. Now, fast forward 6 months and you're driving around in your smooth, comfy car with a 'new car', tree-shaped air freshener dangling from the rear view mirror. They now send you a nice, glossy brochure about some used car offers. You're going to be a bit frustrated because you haven't asked for this and it also extinguishes any rapport built between you and the dealership. With the new regulation, this is not allowed.
When the GDPR comes into force on the 25th May 2018, data capture not only has to be really simple, accessible and have no really long fine print, it has to be granular to the point that the citizen specfically requests information about the particular product or service. Anything else, and you simply don't have permission.
So what can I do?
Many many companies between now and the 25th May 2018 will be sending out consent campaigns. Asking people to consent to receive particular information about their products and services. The bad thing with this is that it's highly likely that as you email people you haven't connected with for years and dust off their data files, you'll get a rather high unsubcribe rate.
The good thing is that you'll end up with a much higher quality database full of people that are willing and wanting to receive information about your products and services. It may be a lot smaller in numbers but the quality will be there. Just like with paid advertising, over time you concentrate your keyword research to find the really good audience that are most willing to buy.
Oh, and don't offer incentives for your recipients to consent - you'll get fined! No more "Win a free service", or "get a free car wash". Just ask them nicely.
What's the next step?
As of writing this blog post, you have around 169 days so go grab your database and let us put a plan of action together for you. We can help with your marketing strategy to become compliant and help ensure that you stay compliant too. Tick tock...
Resources:
Guide to the General Data Protection Regulation
GDPR: 12 steps to take now (PDF)
Website of EU GDPR