It’s easy to blame the Europeans. Whether it’s the metric system or the way they spell “colour” and “theatre,” they sure seem to enjoy making things more difficult for us Americans. And now they’ve come for our data.
The European Union’s General Data Protection Regulation, aka “GDPR,” went into effect on May 25, 2018. Though it technically only applies to personal data of EU citizens, GDPR represents a seismic shift that is already affecting businesses around the world.
Websites are now asking “Mother, may I?” before storing your information as cookies and e-marketers are double-checking that it’s okay to keep sending you emails. It’s all very polite and straightforward–two qualities the internet isn’t generally known for.
So, What IS GDPR?
GDPR (all 88 pages of it, which can be found here) provides standards and protections for all personal data belonging to citizens of the EU and rules for how that data is acquired, stored, transferred and utilized, no matter where those citizens may physically be. The data in question is not limited to information used for marketing and advertising purposes–all customer and employee data, online databases, spreadsheets and even paper systems are covered by the new law. Violations can carry fines of up to 4% of a company’s global revenue or €20 million. That’s $23.3 million in American money!
But this is no time to overreact – you probably don’t need to hire a Data Protection Officer or start learning French. While GDPR is an important, game-changing development, it is still relatively new. Like any good legal document, the GDPR is difficult to parse and subject to interpretation. Google and Facebook have already had enormous lawsuits filed against them and there will no doubt be many legal decisions that help to solidify the details and compliance measures. But that disclaimer aside, GDPR–and the principles of user protection it represents–is here to stay.
The Key Principles of GDPR … Simplified
- Acquire user data in an honest manner and be clear about how you’re going to use it when you ask for it. Don’t buy, scrape or borrow it from a third party.
- Only ask for the information you truly need.
- Only use someone’s data for the express purpose it was given. For example, if a customer gives you their email address to get shipping and tracking updates, don’t automatically add that email address to your newsletter list.
- Keep user data accurate and updated, to the best of your ability, and only for as long as you reasonably need it. Different types of data might have different time spans for retention. For example, you may want to keep 5 years of customer data to provide proper customer service, but you probably don’t need the social security number of a job-seeker from five years ago.
- Keep and transfer user data securely. Don’t send spreadsheets via unencrypted email. Don’t keep customer credit card numbers written on Post-It notes. Don’t host your client contact information on public-facing web pages or unsecured servers.
Easy First Steps You Can Take Today:
- Review all of your contact lists. That includes customer lists, subscriber lists, vendor lists, employee lists and more. Anything you have stored on paper, in spreadsheets, on websites or other applications should be checked. Document where each list came from, how the contacts were acquired and whether or not you still have a valid reason to keep that list.
- Stop buying and sending to purchased lists. They’re almost certainly (other than corner cases) not compliant with GDPR.
- Review all of your email sign up and contact forms. Make sure opt-in checkboxes are not pre-checked and you clearly communicate what the user is signing up for. Don’t automatically add people to subscriber lists unless they’re clearly signing up for that list and you can prove it.
- Assess what third-parties are doing. Check with any external companies that access or handle your data (agencies, vendors or payroll companies) to see what steps they’re taking towards compliance. Get clarification on how they’re using your data.
- Educate your team. Make sure your entire staff, from marketing to sales to the c-suite, is aware of GDPR and what their responsibilities are for safeguarding data.
- Check for EU user data first. If you can identify any EU citizen data in your possession, make that your top priority for compliance. If possible, keep it separate from other user data as you work to improve security.
While the full impact of GDPR is still to come, there’s good reason to start working towards compliance where possible. Because let’s face it, if you’re just starting to work towards compliance, you’ve already missed the deadline. Not only will it make your business better prepared for the future, and better protected against liability, it’s actually a great opportunity to rebuild trust. Instead of the usual tracking and retargeting and routine approaches to marketing online, it offers a human touch. By asking people if they truly want to receive your emails and by telling them how you plan to use and store their data, you demonstrate your trustworthiness and integrity. You offer someone a straightforward interaction based on mutual value and you build something far more lasting: a relationship.
Maybe those Europeans are onto something.
Is your business ready for GDPR? Use BBR’s simple GDPR Checklist to see which areas of your marketing and operations may be affected.