This week GDPR peaked on google searches. It hit the main stream media and who was not aware of it before it is now. If not, read this here.
Understanding the GDPR
The General Data Protection Regulation was released in May 2016. Controllers and processors operating within the 28 States member of the European Union were notified that the law would come into effect on May 25, 2018. Under the grace period, the regulator gave the stakeholders enough time to institute mechanisms that would facilitate compliance once the implementation stage starts.
The regulations will be applicable to all institution, entities, parties and individuals domiciled in the EU and UK regions, and the greater EU economic zone. Concisely, any transaction that involves digital data belonging to citizens and residents of the EU and the UK has to be in compliance with the GDPR.
The new policies will compel all organizations holding onto data and anticipating to acquire personal information for business transactions to relinquish their absolute rights to data ownership. This law will recognize the individual persons, parties or entities as the sole and rightful owners. Additionally, the regulation will enhance clarity of data policies to enable international businesses to operate with full knowledge of how they are to conduct themselves.
An End to Heated Debates over Data Rights?
For the past 20 years, there has been heated debates in Brussels over rights of persons and entities over their own data. The call to action was facilitated by a number of outrageous incidences across the zone that required immediate attention and a meaningful address. Many fell prey to a breach of personal privacy due to hackings, the release of Classified information by data holders and use of personal data for profit-making ventures. These transactions, shrouded in mystery or publicized, did not recognize the individual and entities in perspective as a party to the deals: They were considered to have relinquished their rights to ownership of data once they gave away their information.
The implementation date could not have come at an appropriate time especially after the UK’s Cambridge Analytica and the Facebook saga that sent shockwaves across the globe. Many people in Europe suddenly became aware that their privacy was no longer guaranteed after learning about the hacks and infiltration of third parties into databases.
An Imminent Shift in Strategy for Organizations
The phenomenal growth in internet use and the overgrowing need for background searches on people is the reason why the GDPR is being implemented. Although a raging debate is going on of whether the regulation is inhibitive or necessary in the EU context, it is clear that all data processors and holders have to comply or risk sanctions.
Organizations will lay emphasis in three basics. Trust, parity, and security. Regarding trust, organizations will have to build an image where EU and UK citizens and residents can and trust them enough to give out their data. Secondly, the data processors have to protect data privacy as a parity expectation: trust for privacy, a tit for tat game. Lastly, the data holders have to protect the data from an international breach. The three facets will be critical in ensuring that compliance is underpinned as per the intentions of the policymakers. Any laxity and a consequential loss will attract financial penalty and a possible mischaracterization as a sanction measure.
Online Marketing in the Face of the GDPR
In this lighting, there are four pillars of the GDPR that affects online marketing and if taken seriously there is nothing to worry about. After all, the European Union is the second largest world market and online marketing has to part of this lucrative economic zone.
1. Proof of Consent
An online marketer is expected to ensure that there is explicit consent by a recipient of a service. The prospective client has to have an option of using unticked opt-in boxes. And, there should be a final double opt-in option for sign-ups.
Basically, for online marketers to contact their clients with marketing offers, they have to give their explicit consent for it.
The Don’ts for an Online Marketer are:
- Don't include this consent in the General T&C's.
- Don't ask clients to opt-out, of pre-click it.
- Don't put conditions on the opt-in: If they are trying to buy or get something (even for free), do not attach that to the condition of delivering what they want: One has to be independent of the other.
- Don’t fail to let the clients know what they are signing in for. Be specific about the use of the data.
To Do list before May 25th, 2018:
- Segment the lists by region (use the IP address or if other information such as an address for delivery.)
- Add the "unknowns" to the list too, if there are incomplete leads, better be safe than sorry.
- Send an opt-in e-mail to unknown clients (before May 24th! now would be better!). You don't have to make a law-text about it. Keep true to the tone of voice of your company.
- Latest on May 24th delete everybody (from the EU and UK) that did not opt-in in for your list.
To Do list from May 25th, 2018 and onwards:
- Make sure that there is proof of consent from every new EU-joiner by:
- Incorporating a question in the registration form (they have to be allowed to opt out and opt-in has to be an actor, not an inaction)
- Sending a follow-up e-mail after the registration
- Delete the information of those who did not react or opted out.
It is advisable to always limit these rules to the EU-Countries. Sure, it is more work, but if applying this rule to the entire database may result in a loss of more audience and more potential customers. Unless there is a prominent EU-Audience, then applying to the entire database is the better option. In the event that an online marketer notices a discrepancy of data, it is advisable to notify the clients for action to be taken.
2. Right to Data Portability
The audience has a right to their data. This means that as an online marketer, any client who asks for any information has to get it in full. To avoid repercussions, the database has to be well managed to facilitate the efficiency of retrieving data on short notice. Additionally, a right cannot be shared but can be delegated to a party. The statement means that as an online marketer, there right to using the information or sharing it with another party without consent is breaking the law.
Lastly, online marketing data includes profile information, an activity of transactions, and payment history. The right to data portability means that the backend has to have a download click for facilitating the portability aspect of data. It is a feature that enables website users to have access to a print/worded report pertaining.
To Do list before May 25th, 2018:
- Redesign the business website to accommodate personal portals.
- Develop the network to accommodate an active list of records so that clients can have access to the latest information about them.
- There should be a download tab complete with options for defining the timeline or activity needed on record.
If there is a possible breach and an online marketer loses data, informing the client is mandatory. This is because the customer has absolute rights over their data which involves the right to all information pertaining.
3. Right to Erasure
Under the profile information, online marketers have to give clients an option to opt out of service permanently on temporary. This feature will widen the scope of retaining loyal clients for feature prospects while adhering to the EU regulations. The database has to be linked directly to the customer account to enable the transfer of data to a redundant database for feature retrieval and reinstatement or permanent erasure.
4. Right to Refuse Profiling
Although the EU advocates for the use of data pseudonymization which curtains profiling, it is a must for online marketers to allow to never target clients in any way. The concept of pseudonymization means that personal data has to be delinked from the historical activity. Without synchronizing the two, in most cases, data will be anonymous in the database and target customers will be a task not worth the pain. However, any profiling based on gender, age, location, nationality, race, or any other detail in records Is prohibited unless after a consent.
Treading with Caution
Brussels requires all member states to form an individual unit of monitoring the compliance and scrutinizing the individual organizations. It is therefore critical for online marketers to be on the right side of the law. Seeking clarity or assistance from the individual bodies can exonerate an entity in case of a dispute with a client, this is the essence of being on the good side of the law.
However, compliance is mandatory. In most cases, most online marketers exercised caution in handling data. This was to protect the integrity of the individual business, the GDPR is a regulation that affirms long-adopted practices.
Investing in technology for security of data, seeking consent from the audience always, and keeping a retrievable and up to date record is basically all that Brussels need.
Update from April 30th 2018: Amy Porterfield and Robert Klinck published a great podcast! Listen to it in 45 minutes and you will know all you have to know (as a marketeer) and also have a practical hands-on to do list to be GDPR compliant.