What would happen if your organization was audited for data privacy compliance?
Europe’s General Data Protection Regulation legislation is coming into effect very soon, and it’s going to have a big impact on your digital marketing operations.
The flow of data doesn’t stop at municipal, provincial, or national borders, but Europe’s new legislation will force every organization (including yours) to implement a detailed, accountable system for sourcing and collecting personal data related to the European Economic Area and its citizens.
Quick Review on Europe’s General Data Protection Regulation (GDPR)
The GDPR expands and clarifies the scope of what is considered to be personal data. It also imposes severe penalties on organizations that fail to comply with these rules—up to €20 million or 4% of your annual revenue, so it needs to be taken seriously.
What Counts as Personal Data?
Organizations that employ Cookies often do so simply for ad retargeting campaigns, but they may also collect information without using it. Collecting information without providing a clear explanation for its use could cause legal issues during an audit.
Review your marketing platforms for collected information matching any of these data points:
- IP Address
- Email Address
- Telephone Number
- RFID Code
- Name
- Physical Address and Postal Code (or Zip Code)
- Items Purchased
- Contact Lists
- Debit, Credit, and Financial Information
- Personal Messages and Correspondence
- Age, Sex, or Gender Self-Identification
- Web Pages Visited
- Actions Taken on a Web Page
- Interests Listed
That's not an exhaustive list, but it should indicate what to search out in your marketing stack.
What Does the GDPR Mean for Marketing?
GDPR will limit the use of data collection, and this will have an impact on marketing automation and digital advertising for obvious reasons—that data is what lets organizations deliver personalized, relevant offers at scale.
Remember these key issues for data protection in your marketing funnels moving forward:
- Cookies Notification: your website needs to notify visitors whom it tracks upon landing on the site.
- Time Limits on Storing Personal Data: data collected from EU territories can’t be stored indefinitely.
- Be Ready to Justify Why You Store Data: organizations with a presence in the EU will need to codify why they collect certain data points, including IP addresses, email addresses, purchase histories, and so on.
- All Collected Data Needs a Source: organizations cannot continue to use Europeans' personal data without a clear record of where and how it was obtained (such as an email signup date and URL).
- The Right to Be Forgotten or Erasure: European citizens have a right for their data to be deleted from databases, and they have the right to withdraw from further marketing interactions.
How Does the GDPR Differ From CASL?
The GDPR is European legislation but will have legal ramifications for companies with a digital presence in the EU—even if they operate in other parts of the world.
CASL, on the other hand, is Canada’s Anti-Spam Legislation—entirely separate from European legislation. American and international organizations have adopted clear opt-in and opt-out mechanisms (especially for email marketing) to avoid paying fines in Canada, but you can be sure they will come in handy for GDPR compliance as well.
International companies will need to accommodate both pieces of legislation to avoid compliance penalties, even though they are separate pieces of legislation created in different countries. This is why a GDPR compliance checklist is important for your business (and consult a lawyer either way).
The GDPR Compliance Checklist for Marketing
Stay ahead of the legal curve with this practical GDPR compliance checklist to equip your organization for GDPR compliance. In the near future, the rest of the world may soon adopt similar legislation in light of the recent investigation into Cambridge Analytica and Facebook.
- Document Your Data Privacy Model for the Entire Organization
- Include Data Privacy Metrics in Relevant Audit Processes
- Update Marketing Policy to Include GDPR Provisions
- Notify Visitors of Cookies on Your Website
- Codify the Purpose of Storing Specific Data Points
- Adopt a CRM to Track Personal Data Collection Histories
- Notify Users If Collecting Additional Data
- Implement Intentional Limits on Collecting Unspecified or Irrelevant Data
- Ensure Mechanisms for Withdrawal in All Marketing Touchpoints
- Source Every Piece of Data Collected with a Systematic Approach
- Eliminate or Archive Data Collected Without a Source
- Flag and Separate Data Flagged by Right to Be Forgotten (instead of deleting)
- Record All Data Disclosures on a Personal Basis
- Review Your Ability to Conduct Criminal Background Checks
- Identify Cross-Border Data Transmission Mechanisms and Review
- Appoint a Representative for European Correspondence
- Appoint a GDPR Compliance Officer in Some Form
GDPR Articles for Further Reading
Stay up to date on GDPR with these articles for further reading and creating your own GDPR compliance checklist, if you’d like to dig deeper:
Canadian Lawyer Magazine: Getting Ready for GDPR
I-Scoop: Four Practical GDPR Concerns for Marketing and Beyond
Super Office: GDPR for Marketing: The Definitive 2018 Guide
Martech Series: How to Beat Procrastination with a GDPR Marketing Compliance Plan
Forbes: The Role of Marketing in GDPR
Marketing Profs: Your 2018 Marketing Plan Won't Work and Will Break the Law
Do you still have questions about Europe's General Data Protection Regulation (or Canada's Anti-Spam Legislation)? Get in touch directly and we'll show you what it means for your marketing.