The European Union’s new legal framework for data protection will have sweeping implications for businesses worldwide. Known as the General Data Protection Regulation (GDPR), the legislation goes into effect May 25, 2018.
The GDPR will fundamentally change how data is used, protected, and controlled — and force marketers to rethink how they communicate with consumers. It shifts the balance of power to consumers by expanding their rights to modify, delete, and receive copies of the data an organization holds on them.
The law protects personal data and regulates the processing and transfer of personal data by data controllers — an entity who determines the purposes, conditions, and means of the processing of personal data — and data processors — those who process personal data on behalf of data controllers.
GDPR Will Trigger Meaningful Change
A law as complex as the GDPR is naturally fraught with nuances and ambiguity. However, one thing is clear.
The GDPR will trigger a meaningful change in ways businesses operate and more clearly define how they interact with consumers.
The breadth and depth of the legislation will undoubtedly create challenges for even the most conscientious businesses. But it will also create opportunities.
“Ultimately it will compel marketers to be more thoughtful, transparent, and respectful of the data they collect and use,” said Arke CEO and Co-Founder Eric Stoll.
“That will go a long way toward rebuilding trust with consumers at a time when many have grown skeptical and weary over highly publicized incidents of misuse of their personal data.”
Arke Will Share GDPR Knowledge
Over the coming weeks, Stoll and other Arke leaders will collaborate on a series of articles about the EU’s General Data Protection Regulation.
Arke is a brand experience consultancy specializing in strategic implementations of marketing technology solutions.
This series will provide insights on the practical application of the GDPR. It’s aimed at those who use marketing technology platforms for websites, marketing automation, and customer relationship management (CRM).
Arke is creating the articles for informational purposes only. They are not intended to provide, and should not be relied on, for legal advice.
“Our goal is to enlighten clients about the GDPR and promote internal discussion on the applicability of the law to their own businesses,” Stoll said. “The more businesses know about the GDPR, the better they’ll be able to proactively address it.”
Impact of the General Data Protection Regulation
European law has long recognized privacy as a fundamental human right, and the GDPR contains stringent rules to protect personal data in line with this principle. The GDPR replaces a 1995 EU “Directive,” which required EU member countries to enact local laws consistent with its principles.
But the directive was enforced inconsistently throughout the EU. The GDPR, in contrast, will be directly binding on all EU member countries.
While the GDPR carries forward the Directive’s basic approach to protecting personal data, it also contains important new provisions that can apply to companies outside the EU. It shifts the burden to protect data to businesses and empowers individuals to take control of their data. It also imposes hefty fines on those who fail to meet the new standards.
What’s more, the GDPR has global reach, with the likelihood of affecting any company that handles the personal data of any European residents — regardless of where the company is based.
Global Implications of the GDPR
Under Article 3 of the GDPR, your company is subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed. The UK also plans to implement the GDPR despite Brexit.
That means non-EU companies should take steps to be GDPR compliant if they:
- Maintain an internet presence, and sell or market products or services over the web
- Accept the currency of an EU country; have a domain suffix for an EU country; offer shipping services to an EU country; provide translation in the language of an EU country; or market in the language of an EU country
- Monitor the behavior of EU residents by tracking and collecting information about them
In short, GDPR applies to more marketers than you may think. That includes small US-based companies with incidental sales to EU residents.
“The minute such a business captures an email address of an EU resident with an intent to communicate with him and track his response, that business becomes subject to GDPR, regardless of where the business, server, or subject is located at the time,” Stoll said.
Highlights of the GDPR
Consumers have the “right to be forgotten” under the General Data Protection Regulation.
Specifically, they can ask to have personal data erased when it’s no longer needed for the purpose it was collected or processed.
In addition, it requires companies to:
- Report unauthorized access to personal data within 72 hours of detection
- Explicitly obtain consent from consumers whose data they want to use and/or share
- Provide, on request, a free copy of the personal data it holds on a person in an electronic format
- Adopt privacy by design policies; that is, build data protection into the design of a system
- Pay stiff fines and administrative sanctions for non-compliance
Companies that fail to comply with the GDPR face serious financial risks: Fines of up to 20 million Euros ($24.62 million USD) or 4 percent of total annual global revenue (whichever is higher).
According to a March report by Forrester, only 15 percent of business-to-business (B2B) marketers are fully compliant with the GDPR. About 18 percent are still wondering what to do. “Even with the potential risk of business-crippling fines, many B2B marketers are unprepared,” wrote Forrester VP and Principal Analyst Lori Wizdo.
Gartner predicts more than 50 percent of companies affected by the GDPR will remain noncompliant by the end of 2018.
What the GDPR Means for Marketers
Digital technologies and the ability to gather more data than anyone dreamed a few decades ago have fueled a marketing revolution.
Today it’s possible to know your customers (as well as prospective customers, competitors, suppliers, vendors, and every other person even peripherally related to your brand) better than ever before.
But the proliferation of data — and the general willingness of consumers to provide it in exchange for little or nothing — has dulled its value. It seems, in fact, like the more data a marketer has, the more cavalier that marketer treats the data.
As John Snyder, the CEO of Grapeshot, a global contextual intelligence provider in the ad tech marketplace, wrote recently in Adweek, The “GDPR is a natural response to advertisers’ over-reliance on data. It’s also the best thing to ever happen to them, as it forces a moment of self-reflection and presents them with an opportunity to become the best versions of themselves.”
GDPR Increases Marketing Accountability
The GDPR slams shut the days of free-flowing, easily collected, and carelessly maintained data.
Instead, it establishes a protocol that redefines the relationship between marketers and consumers.
Under the GDPR, marketers will have to earn the right to communicate with consumers. They will also need to explicitly ask for permission to collect and store personal data.
They can no longer gather everything from date of birth to household income for access to a white paper.
Now they’ll have to start with a strategy. What data do we need to collect? How will we use it? How will we protect it?
The GDPR is a big, messy piece of legislation with plenty of inherent issues involving its implementation and guidelines. As we navigate it, companies will stumble and issues will arise.
It will take work to get it right. But the GDPR is nothing to fear.
“It promises to increase honesty, transparency, trust, and respect for the people with whom you do business,” Stoll said. “How can we argue with any of that?”
For More Information:
(Stay with us over the coming weeks as we share specifics on the GDPR, including practical applications for marketers.)