It seems like data privacy is in the news every day, with recent high-profile controversies like Facebook’s data mishandling and the massive breach at Equifax. How companies capture, store, and dispose of personal data is under intensifying scrutiny.
Yet even before data privacy hit news headlines, the European Union was already making moves to give EU consumers more power over their personal data. On April 14, 2016, the EU Parliament voted in favor of the General Data Protection Regulation (GDPR), which will establish a single set of data privacy laws across Europe when it goes into effect on May 25, 2018.
What Does This Mean for US Companies?
The GDPR affects companies in the EU and any company that does business with EU consumers or businesses. Non-compliance means hefty fines up to 20 million Euros ($24.7 million in US dollars) or four percent of the prior year’s global annual revenue, whichever is higher. More importantly, companies that aren’t compliant could lose trust and confidence from their customer base.
What Does This Mean for Marketers?
Although GDPR is a company-wide initiative, tightening restrictions surrounding the capturing and storage of personal data have especially significant effects on marketing teams.
We’ve compiled some highlights that marketers should know about. For the full policy, visit the official EU GDPR page.
Consumers must give companies clear and explicit consent to capture their data. This can happen via an opt-in checkbox on a landing page form, although many companies are adopting a double opt-in system. An example of double opt-in: A consumer signs up for an online newsletter and immediately receives an email asking them to confirm their email address before they’re added to the email list.
According to the GDPR, consumer consent may not be necessary if marketers can show certain individuals have a “legitimate interest” in receiving direct marketing. This is one of the more ambiguous guidelines included in the GDPR, so it may be worthwhile to check with your legal team about any marketing campaigns you want to send based on legitimate interest, such as those to your current customers. For any direct marketing campaign based on legitimate interest, you must include a way for the individual to remove themselves from the list, either via an unsubscribe link or a way to contact your company.
GDPR requires companies give consumers the ability to access, rectify, and remove their data. Marketers should familiarize themselves with their company’s data storage policies and procedures, and identify who within the company to contact, should an individual request access to their data.
GDPR introduces the concept of data minimization, which limits organizations to storing only essential personal data. Data that holds little or no value must either be removed, anonymized, or encrypted.
Data Breach Notification
GDPR gives consumers the right to be notified if personal data is compromised. Companies must notify the Information Commissioner’s Office (ICO) within 72 hours in the event of a breach.
GDPR Action Items
The new policy can seem daunting at first, but it’s important to start preparing sooner rather than later. Here are four things you can do now to make sure your team is in compliance:
To understand what needs to be changed, you first need to understand the current status of your data. Ask yourself the following questions:
- How are you currently collecting data? Does it require clear consent from the consumer?
- Do your direct marketing emails offer an opt-out option?
- What data do you already have, what are you using it for, and how did you collect it?
- Are you able to show a trail of consent if necessary?
2. Review and Update Privacy Communications
Proactively communicating your current and future data practices and privacy policies will give your customers confidence and help build trust in your brand. Update your policies to detail how you collect, store, transfer, and process your data. Consider sending an email to current and prospective customers detailing what changes you’re making.
3. Define and Discuss with Key Stakeholders
Stakeholders at every company are different, but no matter who needs to be involved, it’s important to loop them in as early as possible.
- Your CEO may want a high level understanding of how GDPR will affect business processes, expenses, or revenue. Help him/her understand potential fines, risks, challenges, and opportunities involved in this transition.
- Compliance, risk management, or information security teams will need to create a company-wide data protection plan and policy to protect against breaches.
- Loop in legal to help review any changes and ensure compliance before officially launching anything.
- Companies will need to appoint a data protection officer (DPO) to serve as the main point of contact for all GDPR-related questions and issues. DPOs should keep up on the most current data protection laws and practices.
- If landing pages or forms need to be recreated for compliance, communicate those requests to developers and design teams as soon as possible.
- Keeping sales up to speed is important to instill confidence in current and potential customers. Make sure they know the steps you’re taking to be GDPR compliant and feel comfortable relaying that information to prospects.
4. Third-Party Compliance
Take a look at the contractors you work with and verify third-party contractors are complying with GDPR privacy. Learn about what we’re doing at Wrike.
Using Wrike for GDPR Collaboration
Having a single source of truth keeps you organized, eliminates roadblocks, and provides clarity when embarking on complex projects with multiple stakeholders and moving parts.
Here is how our own marketing operations team is using Wrike to make sure everyone is GDPR compliant:
“GDPR affects so many different people on so many different teams. Being able to have one source where we can document our research and best practices is helpful,” says Mariam Vanyan, Email, Website, & Automation Team Lead at Wrike. “Anyone involved knows they can always come to Wrike to add notes or ask questions.”
“Based on the GDPR, we are identifying landing pages and emails that we may need to update, taking screenshots of them, and uploading them to individual Wrike tasks,” Vanyan says. “We want to make sure anything we need to update is here in one place. For us, if it doesn’t exist in Wrike, it doesn’t exist.”
Assign to Key Stakeholders
“We make sure everyone who needs to see or approve these updates is added to the relevant folders, projects, and tasks,” Vanyan says. “If everything is in one place, all teams involved can come straight here and see what needs to be done. Because it’s all in one place, we’re able to avoid sending emails for every change we need to make, which can become chaotic. Everything is listed clearly in Wrike, so all the teams know exactly what they need to do.”
“There are so many tasks that need to be taken care of by so many teams, but not all of the tasks can be done at the same time. Some tasks can’t be started until others are finished,” Vanyan says. “We’re relying on Wrike’s timeline and the ability to create dependencies from one task to another to help streamline that process.”
Get It Reviewed
“Once we’ve made all the changes, we’ll use Wrike to push it to our legal team for one final review,” Vanyan says. “Because the entire history of the project shows up in that task, our legal team can see the original landing page or email, the steps we took to make it GDPR compliant, and what it looks like now.”
While becoming GDPR compliant may seem daunting, it will ultimately help your brand build trust among your customers and prospects. Breaking the initiative into smaller chunks like those outlined in this blog post makes it more digestible for you and your team.
How are you and your team managing GDPR compliance? Share your experience in the comments below.