What You Need to Know About GDPR


BEST PRACTICES SERIES

Article ImageThe calendar countdown to May 26, 2018, may not have quite the same appeal as a New Year’s Eve-style celebration. But that’s the day the European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect—cue the confetti cannon.

GDPR creates a new set of standardized, strict rules for consumer protection, designed to ensure privacy and data minimization. It’s a regulation with reach; just about any global company that collects or processes data for customers based in the EU will be affected. The consequences for non-compliance are not trivial; GDPR stipulates that offending companies can be fined up to 4% of annual global turnover, or €20 million (about $24 million), whichever is higher. Management consulting firm Oliver Wyman calculated that companies on the FTSE 100 that have incurred a known major data breach in the past 5 years would have been fined £25 billion (about $34 billion) if GDPR had been in place during that time.

Organizations that don’t feel quite ready for GDPR are in good company; a survey of international global businesses by the Ovum consultancy found that more than half of respondents expect their organizations to be fined under GDPR. U.S. companies are particularly pessimistic, with 63% of Ovum respondents believing the new privacy regulations will make it harder for U.S. businesses to compete in Europe.

But for businesses that take the May 2018 deadline as an opportunity to gain a deeper understanding and control of data flows, there may also be an upside.

 

 

What Does GDPR Do?

GDPR was adopted by the European Parliament in April 2016, replacing the 1995 Data Protection Directive that was codified at a time when fewer than 1% of Europeans used the internet. As access grew, Europe did its best to stay on the forefront of data privacy, announcing in 2012 that it would work toward a unified data protection policy for all member states.

“The EU definitely takes a more protective stance for personal data than the U.S.,” says Susan Foster, a member of Mintz Levin who specializes in EU privacy/data protection matters. “The roots of it are in the misuse of personal data here in the past. There is a sacredness around personal data in the EU that we don’t have in the U.S.”

GDPR’s provisions protect basic identity information such as name, address, and ID numbers. To that, web data is added that would pinpoint a user’s location (including physical location, IP address, cookies, and RFID tags), health and genetic data (including biometric data) and “sensitive” or “special” personal data (such as sexual orientation, race, ethnicity, religious beliefs, or political opinions). “There are a lot of things that Americans would be surprised to hear the EU considers personal data,” says Foster.

Under GDPR, consent becomes explicit. That is, the consumer must explicitly opt-in to allow companies to acquire, retain, and access his or her personal data; he or she has the right to withdraw consent at any time. Consumers can request a copy of their data from organizations that hold it, and a new “Right to be Forgotten” rule means that consumers can request that a company erase their personal data if there are no legitimate grounds for storing it.

Another key consumer protection? The timeline for consumer notification of data breaches is shortened and made mandatory. Companies will have just 72 hours to notify end users of situations in which a data breach is likely to “result in a risk for the rights and freedoms of individuals.”

 

 

Who Is Affected?

Foster says there are three triggers for direct applicability. “The first is whether the company has any ‘establishment’ in the EU, which is basically a permanent means of doing business there, like a branch office, subsidiary, or even a person permanently on the ground there.” The second is that any company without such establishment can still be under GDPR jurisdiction if it monitors data from EU customers, including holding data from EU citizens via back-end processing activities.

The third trigger is whether a company offers goods or services to EU citizens. “That applies even to free services, like apps,” says Foster. “If a customer comes to you, GDPR doesn’t apply. But if you do any targeting of EU citizens with marketing or outreach, you’re affected.” Even U.S. companies that don’t fall under the “direct applicability” umbrella for GDPR may be impacted. “If GDPR applies to your customers, partners, or vendors, you may have to help them as they get into compliance in the coming months,” says Foster.

 

 

Who’s in Charge Internally?

Within organizations, GDPR requires the appointment of a data protection officer (DPO) to oversee strategy and compliance. “The DPO must have a high level of independence; they can only be fired by the board,” says Foster. He or she also can’t carry out tasks that would be considered a conflict of interest, such as setting data strategy. “They’re basically acting as an in-house compliance officer,” she says.

For smaller companies, appointing a full-time DPO could be prohibitive, and the EU has signaled that outsourcing DPOs is acceptable. “It’s one of the places where the EU has recognized business realities,” says Foster, pointing out that for a 20-person U.S. company performing behavioral analytics on end-user data that may come from Europe, a contract or part-time DPO is a much more palatable approach.

 

 

What Should You Do Now?

According to privacy and data protection expert Peter Milla, who is the DPO for the online insights exchange platform Cint, building awareness and undertaking management education is a key first step. Milla says, “The second step would be to perform an impact analysis, so you can understand your organization’s data flows and risks associated with them.” Data-flow mapping tools, such as Nymity and TRUSTe, can facilitate this process. Finally, he says, getting the DPO in place—whether as a hire, appointment, or contract role—is critical. 

While most GDPR experts don’t expect fines to be handed down immediately, high-profile violations with big risk exposures, such as data breaches, are likely to draw quick enforcement actions. “The European public will appreciate that,” says Foster. GDPR certainly places new burdens on U.S. companies, but she points out an upside: “Going through the exercise of understanding your organization’s data flows will benefit your business as you deal with increasing regulations around the world.”   


Related Articles

As the General Data Protection Regulation (GDPR) closes in, publishers are still unsure about where the line is being drawn. If you're confused about the status of your data collection strategy under the GDPR, read on.
A Harvard Business Review case study recently posed a provocative question: when should humans listen to algorithms vs. when should they trust their own experience and intuition? For this case study, the issue related to which of two employees to choose for a promotion. But, given the widespread applications for the use of big data and the power of predictive analytics, the question could be applied to any field or area of business practice—including content marketing.
While advertisers were initially lured to the online digital marketplace by low cost and easy reach, those dreams of efficiency have been significantly dashed as scammers have increasingly entered the marketplace, making it difficult for marketers (and consumers) to discern what's real and what's not. Did that click come from a real consumer or a bot? Are messages being delivered to the right audience? Is information accurate and reliable or fake?
It almost sounds too good to be true: a means of making the mobile web experience easier for customers—wherever they are in the world—while reducing development and maintenance costs for native apps and obviating the marketing spend required to make an app stand out. But in the past 2 years, there's been a groundswell of interest in progressive web apps (PWAs), a combination of technologies that proponents say can do all those things and more.
If you're a marketer, you've probably been fretting about the mysterious Gen Z. They're digitally savvy and immune to your attempts to advertise to them. They're less interested in what your brand can do for them than they are in what your brand is willing to do to make the world a better place. And according to new research from MNI Targeted Media, Gen Z will account for 40% of all consumers by 2020. So now what?
The GDPR may raise an awkward issue for the voice tech industry: it requires reminding customers that you're recording, analyzing, and storing their conversations in the first place. As Richard Brown, director at activereach, a provider of internet, networking, voice, and security solutions, points out, "Most customers assume that their email communication with a company may be stored long term, but they don't necessarily think that's the case for a voice conversation."