What is GDPR and Should You Be Doing Anything About It?

You’ve probably heard of the General Data Protection Regulation, often referred to as GDPR. If you haven’t researched it yet, chances are that you’ve already begun to see its impact in your inbox.

GDPR is a new data privacy law that will go into effect on May 25, 2018. As digital marketers, it’s essential that you’re prepared to comply with this new law and fully understand its implications.

The policies within GDPR are designed to help build trust with your audience and, ultimately, provide a better user experience.

But Wait…isn’t GDPR Just a European Thing?

Technically yes, the European Union passed GDPR to establish rules for organizations that control or process personal data. The catch is that the law applies regardless of your company's physical location. As long as your company is classified as either a “processor” or “controller” of customer data, GDPR applies to you.

Under the new GDPR rules, a controller refers to an organization that determines the purpose and ways consumer data is processed. While a processor is defined as an organization that processes personal data on behalf of the controller. For example, your brand may collect and use customer data in your R&D, marketing, or other operations. This makes you a controller. As a controller, you may provide your customer data to a fulfillment house to send samples, products, or direct mail out to your customers. This activity would make them a processor on behalf of you, the controller.

GDPR places strict legal obligations on processors to maintain personal data records. This paper trail increases the level of liability should the processor be responsible for a breach. Controllers are not safe from legal concerns either. The requirements within GDPR force controllers to do their due diligence to ensure that all contracts with processors comply with the new regulations. If they don’t have records of performing this due diligence, they too can be held liable in the event of a breach.

What is Personal Data Under GDPR?

Under the new regulations, personal data means any information that can be used to identify a person. This has dramatically widened the scope of the standard name, address, and photos. In fact, under GDPR, even IP addresses are now considered to be personal data. The new rules also cover sensitive data that is now more frequently found and stored online such as genetic and biometric data (think 23andme.com, Ancestry.com, and all of the fitness/health/weight loss apps).

How GDPR Benefits Consumers

Last year a record 1,579 breaches occurred across a wide range of industries. That’s a crazy number – roughly four breaches each day for a year. The odds are that the personal data of most, if not all, consumers have been exposed online at some point.

GDPR won’t stop breaches from happening, but the new rules provide consumers with the right to know that their data has been hacked as soon as possible to allow EU citizens to take measures to limit their exposure.

Under the new regulations, consumers should also have easier access to their data and the details of how companies use their information in a way that can be easily understood.

What Brands Should Do to Prepare for GDPR

Many companies have begun prepping for GDPR by simply sending emails to their customers updating their privacy policy to clarify how data is used and providing customers with an option to opt-out.

In the retail and marketing industries, some organizations have decided to reach out to their customers to specifically ask them if they’re willing to be part of their database moving forward. [check out our Ad Math video on calculating the value of an email subscriber]

Regardless of your approach, your customers should have a simple way of opting out of your database or mailing list. Additionally, GDPR supports the “right to be forgotten,” which requires companies to delete customer data from your database at their request – as long as there are no legal grounds for retaining it.

Next Steps

Unfortunately, there is no one size fits all solution when it comes to GDPR. Each business will need to examine how their database is structured, used and where any liabilities exist. This includes relationships with third-party vendors and determining who owns responsibility for compliance in each area.