The European Union’s General Data Protection Regulation (GDPR) is new legislation that is designed to protect the data of EU citizens. GDPR implementation affects every single organization and business that interacts with an EU resident, regardless of where they may be. If you’re a company in the United States that deals with EU residents, then the GDPR will apply to you and you’ll need to follow the GDPR compliance requirements.
Why Are GDPR Compliance Requirements Such a Big Deal
The GDPR implementation started on May 25th, 2018 with the goal of putting more control and protection in the consumer’s hands. Data privacy has become a huge concern lately and the way brands protect their customers is now going to be in the spotlight due to GDPR implementation. The idea is to significantly enhance the level of protection offered to EU citizens and their data. It is built on the 1995 Directive’s requirements, but the new GDPR compliance requirements will be stricter and have harsher punishments for anyone that violates it.
What Are the Consequences of Failing to Follow the GDPR Compliance Requirements?
On the one hand, the damage for companies will be monetary. Companies that fail to follow GDPR compliance requirements may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, depending on which one is greater.
Fines concern both large and small-medium companies: in a first preliminary report, the European Data Protection Board has reported that the average GDPR fine has been around €66,000, excluding the 50 million euro fine received by Google from the French data protection agency.
On the other hand, failing to comply with GDPR requirements will impact a brand’s image. Your organization might have a tarnished reputation and many consumers will lose faith in both your products or services.
Recent research by Dentsu Aegis Network showed that the misuse of personal data is the number one reason for mistrust in the tech industry for 64% of people. Another survey by IBM found out that around 85% of consumers in the US believe businesses should be more proactive in protecting their data, only 20% would “completely trust” an organization with handling their personal data, and an impressive 75% of people wouldn’t buy from a company they don’t trust to protect their data, regardless of how good its product or service.
In short, failing to follow the GDPR compliance requirements will force your business into a problematic situation and ultimately damage your organization. The punishments are intentionally harsh to ensure that all organizations follow a GDPR implementation strategy.
How Can I Prepare My Organization for GDPR Implementation?
In order to make it easier for your business to follow the GDPR compliance requirements, it’s essential that you start planning ahead of time while you still can. To help you prepare for GDPR implementation, we have outlined several of the most important points to follow.
1. Audit Your Data and Analyze It
Data regulations should not be seen as a curse for businesses, but rather as an opportunity to improve the quality of the data collected.
Although many suspected that GDPR would have major repercussions against programmatic advertising, in the UK 67% of digital media professionals agree that they actually increased their programmatic spending, and the same was true for all other countries in Europe.
Marketing Managers across organizations can leverage this moment to rethink their marketing strategy around what data really matters to drive sales and what is the best way to collect it. At the same time, they can let go of collecting nonessential data points.
Many organizations seem to think along these lines: according to a research carried out by the IBM Institute for Business Value, 59% of surveyed executives say that GDPR is an opportunity “to spark for new data-led business models”.
Smart GDPR implementation means looking at the data you have and trying to understand it, why you have it and what it is being used for. Ask your team how the information is collected and with whom it is shared. Identify the different types of data you have and the relationships it has with other sites, companies or even services. This is an incredibly strenuous task so it does require you to comb through every single piece of data in your system to ensure that it stays within the GDPR compliance requirements.
Here are a few questions you should ask yourself:
- Who are we collecting data on? Who has access to this data? Who is the one that sorts it and compiles it into usable data?
- What are we collecting? What kind of safeguards and mechanisms do we have in place to protect personal data so that it isn’t leaked into the wrong hands?
- When are we collecting data? How long do we plan to keep it for? Are we going to share the information we have with others?
- Where are we keeping data? Is it stored and compiled automatically, or do we transfer it all to a third-party?
- Why are we collecting data? Do we feel that the information we collect is useful? Is it being used for a good reason?
- How are we collecting data? How do we plan to process it in the future? How long do we keep our data for?
These questions should form the basis of any organization’s GDPR implementation strategy.
2. Let Your Customers Know About the GDPR
Another important step towards safely managing personal data is to be transparent with your own customers. The same report from IBM mentioned earlier highlights that 96% of GDPR leaders think that complying with GDPR can be used as a source of differentiation, as it will be viewed as a positive attribute by the public. According to a survey by Otonomo and SBD Automotive, transparency and trust are critical to build trust between companies and consumers, with 60% of interviewed people saying that for them it is very important to be told exactly what data is collected, by whom and for what purposes.
Most people wouldn’t know a thing about GDPR implementation or how it affects them. As a result, you may want to contact them via email or even social media and raise awareness of what it is, how you plan to implement it and what changes they can expect to see.
Not only will this impact how much you personally know about GDPR implementation, but it can also greatly affect the way your customers see you. If you can get your audience on your side, then following the GDPR compliance requirements could have a profound effect on consumer trust and ultimately improve your reputation.
3. Review Your Privacy Notices
The GDPR compliance requirements contain a list of requirements that all privacy notices must meet should you collect data. This includes the following:
- Indicate the processing activities taking place anytime you collect personal data
- If personal data isn’t being obtained directly, then inform what processing activities are taking place
- Notices must be present whenever personal data is collected and at all points
- Data must include the identity of the controller and of the data protection officer, how long it will be kept for, the rights that the consumer has, the right to file a complaint, the recipients and transfers of data, a statement that the consumer has the right to withdraw consent at any time, and also an explanation of why you or third-party wishes to collect the data.
4. Understand the rights of the Consumer
To follow the GDPR compliance requirements, it’s also important to understand the rights that the consumer has over their data. When GDPR implementation is active, you must demonstrate that you’re able to do the following:
- Confirm the identity of whoever is requesting the data
- Give consumers the ability to request their personal data
- Respond to requests for access to personal data
- Trace and search for a consumer’s personal data and deliver it within 30 days
- Request rectification and rectify any personal data collected
- Request the deletion of a consumer’s personal data
- Understand which additional controllers data has been transferred to
- Upon a data breach, contact those entities to delete the data
- Requesting the restriction of data processing and show how and when this is done
- Requesting copies and transmit personal data
- Find personal data and compile it into machine-readable formats
- Give consumers a way to object to their data being collected
- Stop all data processing and demonstrate their compliance
These are the standard rights that must be understood by all organizations that follow the GDPR compliance requirements. Failing to do so will result in heavy fines, so make sure you understand these points.
5. Learn how to run GDPR-compliant marketing campaigns
Another important step for companies is to align with the new GDPR guidelines and responsibilities on the major advertising platforms, such as Google and Facebook.
In regards to Facebook, you can learn everything you need to know to keep advertising safely on Facebook in our extensive guide, where we discuss how GDPR regulations impact Facebook’s most important advertising tools.
A lot has changed for advertisers using Facebook: for example, companies need to ask the users consent to collect their personal information both when they use the Facebook Pixel or when they target specific segments as a data controller with Facebook Custom Audiences, whereas the use of Facebook Lookalike Audiences remained untouched by new GDPR requirements.
6. Keep your audiences updated based on consensus
One of the requirements for companies to be GDPR compliant is to make sure that the audiences targeted for marketing purposes are always updated according to the user consensus to be targeted.
This must be ensured both for new contacts and for contacts who expressed their consent before May 25th, 2018. In fact, according to the GDPR “if the consent provided by a person prior to the application of the General Data Protection Regulation (GDPR) is in line with the conditions of the GDPR, then there is no need to ask again for the individual’s consent.”
Users have also the right to withdraw their consent at any time, and companies should respect their decision by excluding them from any marketing campaigns. This can be challenging especially for large organizations that deal with high-volume audience segments in hundreds of active campaigns, which could never update the audience’s files manually every time people withdraw their consent.
In this regard, the best way for companies to keep track of the users’ consensus and update the targeted audiences accordingly is to sync their audiences and campaigns automatically through trusted third-party software such as LeadsBridge.
LeadsBridge operates converting personal data in HASHED keys in real-time (in VCPU memory) without storing any sensitive data in any place, offering companies a privacy-safe solution to keep their audiences constantly updated on users’ consensus.
7. Improve privacy-related internal procedures
The implementation of GDPR and generally any data-protection regulation also affects companies’ internal procedures. In fact, as regulations around personal data management increase, companies experience longer bureaucratic internal procedures, with 34.7% of managers finding roadblocks in siloed organizational structures and poor data-sharing protocols.
Source: eMarketer, 2019
Usually, in large organizations, data protection is regulated by the legal department and by CRM managers who make sure to meet quality standards and data hygiene.
Despite being important, these bureaucratic processes are often bottlenecks for Marketing teams who need to wait weeks to use customers’ data for their marketing campaigns. This is a problem for companies, considering that most of today’s marketing is based on the timing and relevance of the marketing message.
However, this problem can be solved by managing data through in-house or third-party software that meets the legal requirement and protects customers’ data with high-level encryption.
If you want to know more about how companies can approach implementing privacy-focused third-party tools, download “The Marketing Director’s Guide to Automation” here.
8. Appoint a Data Protection Officer
As part of the GDPR compliance requirements, a data protection officer is required in any company that processes information and data on a large scale. They will need to do the following:
- Maintain audit trails and demonstrate accountability and compliance
- Maintain an inventory of data that categorizes consumers
- Maintain auditable trails of the processing activity
- Carry out data protection impact assessments
- Monitor compliance with data protection laws
- Liaise and assist supervisory authorities.
Failing to follow these GDPR compliance requirements could result in harsh punishment, so you’ll need to either hire a new employee or assign an existing one to this role. Because of the training required, it will be wise to do this as soon as possible as part of the GDPR implementation process.
9. Enabling Data Transfers
The GDPR compliance requirements state that consumers must have the ability to transfer data to themselves whenever they want. This means that you will need to return their personal data at any given time, so you must be fully capable of compiling the information you have on each consumer into a machine-readable format. This way, you can easily transfer their data to another data controller.
If your consumers want their data, then you need to oblige and send it to them in a simple and readable format that they can understand. You will need to speak with any software engineers or technology consultants you hire in order to build a GDPR implementation strategy that allows for this easy transfer of data. Failing to follow this could breach the GDPR compliance requirements and result in a fine.
10. Planning For Data Breaches
Data breaches can create huge legal, financial and reputational upsets that could damage an organization and must be avoided when developing a GDPR implementation strategy. As such, it should come as no surprise that data security is an important consideration in the GDPR and it requires that you follow the appropriate procedures in order to meet the GDPR compliance requirements.
- You must be able to provide mechanisms to pseudonymize, encrypt and secure personal data
- You must implement additional security measures
- You must be able to confirm ongoing confidentiality, integrity, and availability of personal data
- You must provide mechanisms to restore access and availability of personal data
- You must be able to facilitate regular testing of your security measures
- You must be able to notify the data protection authority within 72 hours should you experience a data breach incident
- You must be able to notify the affected consumers should a high-risk data breach take place
These are all incredibly important points that must be followed should you agree to the GDPR compliance requirements. Again, failing to do so will result in very serious consequences that could ultimately damage your business. It is wise to follow these steps to plan your GDPR implementation strategy and to understand that we are entering a new era where the consumers are in control of their data privacy. However, as with all business opportunities, approaching this from the right angle can give you the upper hand in your industry.
GDPR has changed the advertising world by regulating the way businesses and consumers acquire and share personal information. Although it has been initially perceived as a limit to businesses, numbers have shown otherwise.
As long as companies make sure they meet the GDPR requirements, they can keep advertising safely to consumers.