GDPR – The End of Digital Marketing’s Wild West?
1 November 2017
by Ulrik Bo Larsen, CEO, Falcon.io
A lot has been said and written about the upcoming EU General Data Protection Regulation (GDPR). But what does it mean for social media marketers within the EU – and non-European companies marketing to EU customers? Could it really spell the end of a golden era as some claim?
First off, what is the GDPR? The regulation, which will come into effect on May 25 next year, is a major overhaul of existing data protection laws to factor in the internet and cloud technology. It aims to standardize and tighten up on how companies use all that personal data that digital technology can now collect.
Although an EU regulation, the GDPR has global implications as it affects any company that offers goods or services in the EU.
I expect there are a lot of digital marketers that have the GDPR top-of-mind, and have for quite some time now. We have all heard about the hefty penalties heading the way of those who fail to comply.
At Falcon.io we have closely followed the regulation’s development. We work with a large amount of personal data, as do our customers. Our main take on the GDPR is that its introduction will transform marketing into a regulated industry.
Søren Dam Hansen, our Legal & Privacy Counsel, has headed our compliance processes as well as lent support to customers who have come to us with questions. I asked him what he thinks marketers should be aware of in regards to the GDPR.
“Basically, this is about everyone’s right to protection of personal data. People have the right to find out what personal data a company has and what it is being used for. Lawyers might say that there is no great difference between the existing and upcoming legislation – but it’s the consequences of noncompliance that make the regulation something to pay attention to.”
Notification obligation and consent
What is the most important thing for a digital marketer to think about in relation to the GDPR?
The first consideration is notification. There isn’t so much new here, but it underlines the company’s obligation to inform users who is collecting their data, what it is being used for and the legal basis for collecting it.
The legality and purpose in particular are key considerations before processing personal data: many companies are not aware that if you track an individual’s movement around your website it could well be personal data collection even if it is “just” an IP address. If it can be attributed to an individual, then the user must be informed.
Many people also forget that when you interact with social media users, you must make it clear if their personal data will be used for other things (such as analyses) – even if that information is already publicly available.
This is why I think we’ll soon be seeing companies using a variety of new ways to notify their software and online users about the information being collected. It will no longer be enough to simply have this kind of information in a tiny font in a corner of the website a user will never see.
In addition, companies will need to revise their consent to direct marketing. It will be more important than ever that the consent be formulated clearly and in compliance with GDPR. Failing to do so will simply mean you have no valid consent to base your direct marketing on.
Who has access to personal data?
Once you are on top of your notification obligation and consent – what then?
In general, you must be able to document that you are in control of a user’s personal data. Tooling is where that is typically most difficult for digital marketers. What will all that personal data in your tools be used for?
So it is vital to document the type of information you collect, what it is used for, who it is obtained from, whether it will be disclosed to others, whether it will be transferred outside of the EU and when it will be deleted.
Most companies use a number of different tools and third-party vendors. These will need to be reviewed to ensure that everything is documented. You will also need to establish comprehensive GDPR compliant agreements with suppliers.
You should be able to answer the following questions:
What personal data do your subcontractors handle? Are the necessary safeguards in place? Will the personal data be automatically sent to another tool, and if so, which? And, if the vendor is based outside the EU, what are the additional requirements that must be adhered to?
And what about your browser plugins or mail client? Do these collect or send personal data?
Marketers who haven’t addressed these questions before now face a substantial task.
The right answer
What do you do if you get a message from a user who wants to know what personal data you have about them?
You are obligated to answer.
That pertains to all personal data held by the company, including in the cloud or by a third-party vendor. This obviously places new demands on businesses to gather and access information in a more effective and simple manner.
All this makes it vital to establish procedures for handling user requests. This also applies if an authority wants to inspect your relationships, or if your company or subcontractor’s data security is noncompliant or compromised – in that case, you also need effective and verified procedures to ensure quick action.
All the work around the GDPR can be frustrating. What’s the upside for my company??
I understand if companies find this difficult. But in the end, I think that users are only focusing more on the protection of personal data, and that enhanced control will create greater legitimacy for companies as a whole.
At the same time, I also believe that as the GDPR approaches and is applied, suppliers will be better off in regards to meeting their clients’ documentation needs as these are currently a bit of a headache for many.
The good vendors will reduce complexity
At Falcon.io, we have worked hard to become one of the “good vendors”, so we can simplify GDPR compliance for our customers.
We aim to make the transition as simple as possible for our customers, so we will be ready to give them the information they need or help them in other ways.
Some customers find it hard to describe what their software actually does. We can help so it not only becomes understandable to people in marketing, but also to their legal and IT departments.
Ultimately, we strongly recommend that if you don’t have your GDPR compliance review underway, it’s time to focus on it. It’s a complex process, but not impossible. And even though the GDPR will create new demands for digital marketers, it will not put them out of business.