On May 25, 2018, a new data privacy and security law takes effect—the European Union (EU) General Data Protection Regulation (GDPR). Along with stricter regulations, GDPR comes with hefty fines for businesses that don’t comply. Should US-based companies be concerned? Here’s what you need to know.
What Is GDPR and Who Must Comply?
GDPR is a new set of regulations designed to protect the personal data of EU citizens, including how the data are collected, stored, processed, and destroyed. The EU Parliament approved GDPR in April 2016 and gave companies 2 years to comply. And unlike its predecessor, the 1995 EU Data Protection Directive, GDPR expands the geographic scope of the law beyond businesses based inside the EU.
GDPR impacts all organizations that collect and process personal data or behavioral information from individuals who reside in the EU at the time the data are accessed. According to GDPR, personal data are defined as any information that can be used to identify a person. So, in addition to names, location, and identification numbers, personal data also include Internet protocol addresses, social media posts, online contacts, and cookie strings.
This means that your US-based company may still have to comply with the GDPR, even if no financial transactions occur. In addition to businesses that are based in the EU, GDPR applies to companies that:
- Offer goods and services to EU residents
- Monitor EU residents’ behavior (e.g., track and collect EU residents’ information to predict their online behavior)
- Have a website that pursues EU residents (e.g., accepts EU currency, markets in the language of an EU country or provides language translation, offers shipping to an EU country, has an EU domain suffix).
Does Your US-based Company Need to Prepare for GDPR Compliance?
Research by Gartner predicted that more than 50% of companies affected by GDPR will not be in full compliance by the end of 2018. To avoid falling into this category, all US-based companies in industries that do business in the EU (e.g., e-commerce, travel, hospitality, and software services) should be in the process of ensuring GDPR compliance. In addition, all US-based companies—especially those with an extensive Internet presence—should be assessing whether any of their business activities and/or database subscribers fall within the scope of GDPR.
But what if you’re 100% positive that the scope of GDPR does not apply to your company? You should still consider meeting the stricter data privacy rules. Data protection is a hot topic these days, and it’s likely that more countries worldwide, including the United States, will adopt more-stringent personal-data protection laws similar to GDPR in the near future.
New, Stricter GDPR Standards
Here, we highlight some of the new GDPR requirements that will have the biggest impact on marketers:
- Standards for Getting Consent—You can send emails only to people who explicitly give you permission to do so. Although this regulation was already in place in most EU countries, the GDPR is much more specific about consent. To be GDPR compliant, companies must now get affirmative consent that is “freely given, specific, informed and unambiguous.” Companies must also provide information about themselves at the time of consent, as well as the way they are intending to use the personal data that they collect. For example, using pre-checked boxes or sending emails to addresses that users provided to download a white paper don’t meet the new standards for consent.
- Rules for Consent Record Keeping—The burden of proof that you have an individual’s permission to send him or her emails is on your company. In other words, if you’re challenged about an individual’s consent, you must provide records that show that you complied with GDPR. Not only does this regulation apply to new subscribers, but it also applies to your existing consent data. That means that you’ll need to bring your database up to date to be sure that you have documented proof that the consent you collected from all subscribers meets GDPR standards.
- Right to Be Forgotten—This new GDPR regulation means that subscribers have the right to have their personal data totally erased from your systems. So, in addition to still having an opt-out function that allows subscribers to easily withdraw consent, you’ll also have to be able to delete all of a subscriber’s personal data upon request.
- Right of Access—Your company must be ready to respond in a timely manner to a subscriber’s request for personal data that you’ve collected, processed, or transferred. According to GDPR, an electronic copy of the personal data must be provided free of charge and within at least 1 month of receiving the request.
- Right to Data Portability—In addition to having the right to get their personal data from you in a portable or “structured, commonly used and machine-readable format,” subscribers also have the right to have those data transmitted directly to another organization.
For additional information about GDPR, check out these resources:
Impact of GDPR
The fines for non-compliance with GDPR are daunting: as much as 20 million euros or 4% of a company’s global annual turnover (whichever is higher) for each violation. As a result, companies based in the EU, as well as companies around the world that do business in the EU, have been busy over the last 2 years ensuring GDPR compliance.
What impact will GDPR compliance have on companies? A recent study of 400 marketers in the United Kingdom and France by the email service provider, Mailjet, gives some indication. The study found that marketers could lose 40% of website traffic as a direct result of GDPR, which will restrict the use of retargeting strategies. In addition, marketers in the study said that steps to comply with GDPR will lead them to shift some of their marketing focus to such direct communication channels as email marketing.
Here are some additional findings from the study:
- 30% of respondents said that they plan to reduce cookie-based display, paid-search, and retargeting efforts
- 79% of respondents said that they will invest more in email marketing to reach customers.
The study also indicated positive outcomes of GDPR, including:
- 57% of respondents said that they would rely more on building campaigns that resonate with new users, rather than on such methods as retargeting ads
- 59% of respondents said that GDPR will drive them to be more transparent about the ways that they track information, which will help build user trust.
New GDPR Standards Positively Impact Email Marketing
When it comes to email marketing, many of GDPR’s new personal-data regulations will have a positive impact, as the study above indicates. For example, companies will be compelled to send more targeted and relevant content to prospects and customers who really want to receive that content. This is an email-marketing best practice that will help to increase subscriber engagement, email deliverability, and overall campaign performance results.
Got questions about how to implement email-marketing best practices that comply with spam regulation and personal-data protection laws? FulcrumTech can help. Contact us today!
Disclaimer: The information provided in this blog is a summary of the new GDPR and how it may apply to your company. However, it is not intended as legal advice. We recommend that you consult with your company’s legal team before finalizing your plans to comply with GDPR.