Like it or not, the European Union General Data Protection Regulation (GDPR) is coming very soon. The legislation is designed to put control into the hands of consumers regarding how their personally identifiable information (PII) is obtained, used and shared. Most would agree that giving consumers control is the right thing to do. It does, however, present some significant challenges for businesses, including non-EU based companies, who do business with or market to individuals who are part of the EU.
GDPR consumer advantages:
- Increased security. Companies are required to have a reasonable level of security in place to protect PII.
- Required consent to process and share information. Before using or sharing your PII, a company must obtain your consent and be transparent about how it will be used.
- The right to correct PII that is incorrect. If a company is processing and sharing information about you that is incorrect, consumers must be given the opportunity and method to correct that information.
- The right to be forgotten. Consumers can now request that their PII be removed from a company’s database.
- The right to obtain the PII that a company holds. Consumers can request a copy of the information that a company holds about them.
The challenges for marketers:
- Obtaining adequate consent. Marketers can no longer bury privacy notices behind links. Notice must be presented at the time of data capture and transparency and clarity are critical. Econsultancy.com has an excellent summary of consent here with some examples: https://www.econsultancy.com/blog/69256-gdpr-how-to-create-best-practice-privacy-notices-with-examples
- Increasing security. Security requirements are now part of the regulation and must be followed. However, some vague language, including the word “reasonable,” make compliance a bit vague. Encryption, pseudonymization, and anonymization are a good start at tackling the security requirements. The IAPP has some good info here: https://iapp.org/news/a/looking-to-comply-with-gdpr-heres-a-primer-on-anonymization-and-pseudonymization/
- Managing the right to be forgotten. This may be one of the bigger challenges for compliance. Companies must give consumers a method to delete the information stored about them. Given that information may be stored in multiple locations, including a CRM, marketing automation platform, accounting system and ERP among others, having a clear understanding of where data lives is step one. Devising a system to remove information on request about a single individual across all systems could be a significant challenge.
- Adoption of a Data Protection Officer. This role requires an individual who has “expert knowledge of data protection law and practices.” This individual is responsible for training and education within the organization. In addition, the DPO acts as the liaison between the company and the GDPR Supervisory Authority and the liaison between the company and consumers who have questions or concerns about their data and their rights. Digital Guardian has a comprehensive write up about the role here: https://digitalguardian.com/blog/what-data-protection-officer-dpo-learn-about-new-role-required-gdpr-compliance
GDPR compliance is a complex subject and will require participation from the highest levels of organizations, including heavy participation from Marketing, Legal, IT and C-Level executives.
At this point there are dozens or possibly hundreds of blog posts about the technical aspects of it and checklists on how you can comply. Here are some additional links to credible sources so you can get up to speed:
All this nets out to a relationship between consumers and marketers where nothing is hidden. That sounds like the way things should be regardless of an official regulation.
If you haven’t already, get your key stakeholders together and start the discussion.