The European Union is cracking down on how companies use individuals’ data.
From May 25, 2018, breaches of the General Data Protection Regulation (GDPR) will carry fines of up to $23m or 4% of the company’s global annual turnover.
Some are calling it the end of digital marketing’s “wild west”. At Falcon.io, we view it simply as a catalyst for a more regulated industry; one in which individual data is protected, and where companies will ultimately benefit from greater legitimacy.
Companies will ultimately benefit from greater legitimacy.
What is the GDPR?
In the EU’s own words, the regulation is intended to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
It is a major overhaul of existing data protection laws to factor in the internet and cloud technology. It aims to standardize and tighten up on how companies use all that personal data that digital technology can now collect.
Although an EU regulation, the GDPR has global implications as it affects any company that offers goods or services in the EU.
— Campaign (@Campaignmag) November 22, 2017
Were the GDPR already in effect, Uber would likely be facing the maximum penalty for concealing its 2016 data hack, only disclosed this week.
The most common questions
Søren Dam Hansen is Falcon.io’s Legal & Privacy Counsel. He has headed our GDPR compliance process as well as helped out customers who have come to us with questions.
He says, “Basically, this is about everyone’s right to protection of personal data. People have the right to find out what personal data a company has and what it is being used for. Lawyers might say that there is no great difference between the existing and upcoming legislation – but it’s the consequences of noncompliance that make the regulation something to pay attention to.”
The fines are severe. The more serious breaches could lead to fines of up to $23 million or 4% of global annual turnover (based on the previous financial year), whichever is greater. Lesser infringements will carry an $11.7m or 2% of global annual turnover penalty.
Here we cover the most common questions posed to Søren and his team as well as their answers.
Notification obligation and consent
What is the most important thing for a digital marketer to think about in relation to the GDPR?
The first consideration is notification. There isn’t so much new here, but it underlines the company’s obligation to inform users about who is collecting their data, what it is being used for and the legal basis for collecting it.
The legality and purpose, in particular, are key considerations before processing personal data: many companies are not aware that if you track an individual’s movement around your website it could well be personal data collection even if it is “just” an IP address. If it can be attributed to an individual, then the user must be informed.
Many people also forget that when you interact with social media users, you must make it clear if their personal data will be used for other things (such as analyses) – even if that information is already publicly available.
This is why we will very likely soon be seeing companies using a variety of new ways to notify their software and online users about the information being collected. It will no longer be enough to simply have this kind of information in a tiny font in a corner of the website a user will never see.
In addition, companies will need to revise their consent to direct marketing. It will be more important than ever that the consent is formulated clearly and in compliance with GDPR. Failing to do so will simply mean you have no valid consent to base your direct marketing on.
Who has access to personal data?
Once you are on top of your notification obligation and consent – what then?
In general, you must be able to document that you are in control of a user’s personal data. Tooling is where that is typically most difficult for digital marketers. What will all that personal data in our tools be used for?
So it is vital to document the type of information you collect, what it is used for, who it is obtained from, whether it will be disclosed to others, whether it will be transferred outside of the EU and when it will be deleted.
Most companies use a number of different tools and third-party vendors. These will need to be reviewed to ensure that everything is documented. You will also need to establish comprehensive GDPR compliant agreements with suppliers.
Also, you must be able to answer the following questions:
- What personal data do your subcontractors handle?
- Are the necessary safeguards in place?
- Will the personal data be automatically sent to another tool, and if so, which?
- If the vendor is based outside the EU, what are the additional requirements that must be adhered to?
- What about your browser plugins or mail client? Do these collect or send personal data?
Companies and marketers who haven’t addressed these questions before now face a substantial task.
What is the right answer?
What do you do if you get a message from a user who wants to know what personal data you have about them?
First of all, you are obligated to answer.
That pertains to all personal data held by the company, including in the cloud or by a third-party vendor. This obviously places new demands on businesses to gather and access information in a more effective and simple manner.
All this makes it vital to establish procedures for handling user requests. This also applies if an authority wants to inspect your relationships, or if your company or subcontractor’s data security is noncompliant – in that case you also need effective and verified procedures to ensure quick action.
— GDPR HotelConference (@gdprhotels) November 22, 2017
The payoff is greater legitimacy
All the work around the GDPR can be frustrating. What’s the upside for my company?
While GDPR may seem like a burden right now, the enhanced control will create greater legitimacy for companies as a whole. At the same time, in the build up to May 25 and beyond, suppliers will be better off in regards to meeting their clients’ documentation needs as these are currently a bit of a headache for many.
The good vendors will reduce complexity
At Falcon.io, we aim to make the transition as simple as possible for our customers, so we will be ready to give them the information they need or help them in other ways.
Some customers find it hard to describe what their software actually does. We can help, so it not only becomes understandable to people in marketing, but also to their legal and IT departments.
Ultimately, we strongly recommend that if you don’t have your GDPR compliance review underway, it’s time to focus on it. It’s a complex process, but not impossible. And even though the GDPR will create new demands for us as digital marketers, there is no reason to fear that it will put any of us out of business.