LEAP is in no way offering legal advice nor protection from potential EU GDPR penalties. This document represents LEAP’s suggested guidance regarding potential steps to be taken in pursuit of compliance. Ultimately, your legal teams should be consulted regarding full compliance and risk mitigation.
Over the past month, there’s a reason every company you subscribe to has sent an email with the same subject line: “We’ve Updated our Terms and Conditions.”
In 2016, the EU voted and realized the data they’re providing the internet is significant and personal. The majority vote decided their information, which was used by companies online but unclear as to how exactly, was theirs to control. So in 2016, the EU adopted the General Data Protection Plan, replacing the 1995 Data Protection Directive, according to the European Data Protection Supervisor. The new GDPR plan went live on May 25, 2018.
Companies claim they use personal information to serve better, more targeted content to their audience. But customers in the EU don’t trust exactly how their information – emails, documents, billing information, addresses, social media posts, etc. – are stored and used.
Though shadowing Brexit news, this new regulation actually had nothing to do with the new law and will not impact UK compliance until 2019.
Breaking Down the Changes
Under the GDPR, consumers in the EU have more control over their data. They now have the right to:
- Opt-out of any and all website and third-party tracking
- Opt-out of any all marketing lists and activity
- Request to see their information currently stored by companies
- Request to have their data ported to another company
- Request to remove all identifying records
- Be able to clearly understand how and why their data is being used by companies
- Be able to give consent only if over a certain age – under GDPR, the default age at which this happens is 16, but the regulation allows member states to adjust that limit to anywhere between 13 and 16.
- Be notified, within 72 hours of a company becoming aware, if there has been a data breach that compromises their information.
Hearing this is only taking place for EU customers, brands in the US may believe they’re exempt from complying. Technically, the law is directed at any company that:
- Has business locations in the EU
- Sells products or services in the EU
- Targeted for marketing and/or advertising that includes the EU
- Companies larger than 250 employees.
Taking a deeper look at analytics, though, may show customers in the EU are indeed visiting both publisher and CPG websites. Basically, if you have customers, you must comply. Hence the emails from every organization on the internet.
If you Break the Rules
Not complying results in pretty hefty fines. At this time, enforcement in the US is uncertain. But penalties in the EU are stiff.
At a Lower Level:
Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
- Controllers and processors under Articles 8, 11, 25-39, 42, 43
- Certification body under Articles 42, 43
- Monitoring body under Article 41(4)
At an Upper Level:
Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
- The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
- The data subjects’ rights under Articles 12-22
- The transfer of personal data to a recipient in a third country or an international organization under Articles 44-49
- Any obligations pursuant to Member State law adopted under Chapter IX
- Any non-compliance with an order by a supervisory authority (83.6)
How To Continue Marketing
Where brands used to drive the internet, they are now taking a passenger seat to consumers. Which changes marketing tactics amongst brands. With less information, targeted content will not be as precise.
According to SuperOffice, in order to sign up for digital communications – which requires an exchange of their data – prospects will have to fill out a form, check a box to confirm they want to share their personal data, then confirm in a follow-up email. All this effort because, in a case a consumer fights they allowed their data to be shared, organizations must prove consent was given.
Even further, if an organization purchases marketing lists (of course, we’re not asking to admit you do this) it is the responsibility of the organization that bought the list to obtain proper consent.
Of course, this sounds like marketing will never be the same again. Steve MacDonald, author for SuperOffice, argues there’s no real reason to worry. “Sure, GDPR does sound intimidating and the fines issued by the ICO are enough to make you rethink your entire marketing strategy. But, in reality, this new legislation isn’t a set-back. In fact, it’s a great opportunity for you to do what marketers do best – that is create targeted marketing campaigns with people that are engaged with your brand,” said MacDonald.
He claims by gaining consent, which should not be difficult if an organization is transparent and honest with its customers, it’s actually an opportunity for marketers to target better than before GPR laws. Additionally, by providing yes or no options to customers, in terms of what pieces of data they want to share, you can best determine what each person is really interested in.
Our own president was up into the wee hours of the morning the weeks before May 25. After all, LEAP Group constantly touts our expertise in targeted campaigns. This certainly changes the way data is being collected, but doesn’t have to change an entire business strategy.
For a complete GDPR compliance guide, please email biz@leapagency.com