Please note that this guide is purely for GDPR information purposes. You cannot rely upon this info resource as legal advice. You should work with legal and other professional counsel to determine precisely how the GDPR might impact your organization’s data policies and practices.
The GDPR updates a business’s obligations to EU citizens — from collection to disclosure, the law is improving and codifying how EU user data is handled. Here’s a simple summary of what you need to know.
What is the GDPR? The General Data Protection Regulation (GDPR) is a constitution-like piece of EU legislation that will extend EU citizens’ data rights, namely: the right to be forgotten, data portability, and breach notification.
This legislation is enforceable as of May 25th, 2018 and the new rights granted by the GDPR must be respected if EU citizens use your website.
Who does GDPR apply to?
Here’s what changes for companies:
- Operating strictly in the US: Nothing changes
- Operating in the EU or internationally: Personal data regulations will be heightened
So, if a EU citizen visits your website, you need to respect that citizen’s data rights granted by the GDPR.
What does GDPR mean for marketing?
For marketers, the essential parts of these new rights will likely revolve around:
- Gaining consent to use personal data
- Correctly handling data (e.g. securing, erasing, etc.)
Because of this, GDPR B2B marketing may change, making it harder or more costly to collect personal information and convert prospects unless you market in more creative, intelligent ways.
The GDPR’s “personal data” definition
For GDPR, personal data is defined as “any information relating to an identified or identifiable natural person.”
Said another way, personal data is anything you can use to identify a person.
More specifically, GDPR personal data examples include a person’s:
- Email address
- IP address and other unique IDs (e.g. mobile device ID)
Finding out if you’re GDPR compliant
You can read the GDPR text here. But right now, it’s still a bit open to interpretation.
Consider the U.S. Constitution and the “right to bear arms.” This right is interpreted as “anyone who is not a minor has a right to purchase firearms.” There’s still plenty of room for interpretation in that constitutional statement — e.g. where you can bear arms (gun range) vs. where you can’t (schools). It’s up to the courts and legislative officials to tell us how to interpret it.
For the GDPR, how to “officially” interpret the legislation will be a little unclear until the EU starts enforcing it and defining “violations” — e.g. “When these marketers did X, they did not properly obtain consent per our definition.” These enforcement actions will signal what you must do to comply with the GDPR. In the meantime, you’re free to subscribe to whatever interpretation your lawyer advises you on (and lawyers may differ in opinion).
There are some details in the GDPR that are more black and white. For example, EU citizens will have a right to be notified if there has been a data breach involving their personal data. They’ll also have a right to request that you delete their information from your database(s). But to us, those kinds of data privacy decency standards are generally how we want to work with businesses and respect people’s data anyway.
What to expect in the future
We’ll see interesting new features that directly impact marketers, like data retention controls and IP anonymization in Google Analytics or AdWords non-personal targeting. There’ll also be behind-the-scenes changes indirectly affecting us.
As new features and best practices are shared, marketers will have to continue learning them so they can adapt to the changing landscape.
How to gain consent to use personal data
Consent to collect personal data from an EU citizen must be “freely given, specific, informed and unambiguous,” and the individual must agree to the collection of this information by “a statement or a clear affirmative action.”
Also, consent is not indefinite and EU citizens will be able to revoke their consent at any time. It’s a fluid topic and it remains to be seen how the EU will enforce definitions like “a clear affirmative action.”
GDPR and “double opt-in”
“Double opt-in” is when you send a confirmation email to someone after they opted in to your email newsletter. This is not a requirement now, nor would it solve everything; it’s still just one method of clearly getting user consent. Even with double opt-in, you would still need to be specific about:
- What data you’re collecting.
- Why you need your user’s data.
- What you will do with your user’s data.
And that list of disclosure specifics won’t cover every scenario.
Handling personal data
There are new compliance procedures (e.g. data privacy impact assessments) for certain business activities involving EU citizen personal data. But all that generally means is that your standards for keeping things organized and safe should at least meet the EU’s standards.
A few new rights
- Right to Be Forgotten: An EU contrivance that says individuals have a right to remove content involving personal data about them from websites.
- Right to Access, Right to Rectification, and Right to Data Portability: If a user wants to edit or move their info from your database, then you need to honor those types of requests.
- Breach Notification: EU citizens have a right to be notified if there’s a breach.
There are even more new rights and legal obligations for businesses than those listed here. But again,most of this should be rather ordinary for your business.
And if you’re uncertain as to whether you’re compliant with any of the regulations of the EU’s GDPR, you should talk to legal or professional counsel.
Other GDPR resources
- ANA marketing collection of resources
- Digital Impact’s list of GDPR resources
- Daniel Solove’s GDPR cartoons and interactive whiteboard and training guide and key documents
What are your concerns with the GDPR?