May 16, 2018
LET’S TALK GDPR | SORTING OUT GDPR
Feeling overwhelmed by GDPR? We get it. Let’s talk it out.
If you have a business page on Facebook, you might’ve noticed several notifications all about GDPR on your page over the past few weeks. You probably checked it out and then became a bit confused about what it really is. Then you might’ve started digging around about it and started to see how much there is to it.
1. WHAT is it? GDPR = General Data Protection Regulation. Designed to increase protection of EU residents’ personal data. Also gives EU citizens more control over their data.
2. WHAT is the definition of personal data? Name, email, phone number, ID number, location data, IP address, online identifier, company registration number, date of birth, cookie, tag, pixel, religious info, ethnic info, biometrics data, health data, financial data, kids info.
3. WHY is it? Its core premise is that privacy is a fundamental right. It’s an update to an existing regulation from the 90s. So it has to evolve as our technology evolves. I actually lived in the UK before and I can tell you one thing: the Scottish and British alike are quite skeptical, suspectful. They’re very careful about their information. Everyone uses chip cards now instead of the “old school” slider cards, but whenever they have to input pin information at a register, ATM, etc, they ALWAYS shield their hands. I actually lived there just before America started adopting the chip cards so living over there with a “slider card” - people thought we were such “in the dark ages!!” I think it’s part of European culture to be quite skeptical of what data is being used for. Truthfully, as you might imagine due to their history and how data was used against them in the past, the most careful and skeptical country of all in the EU is Germany. Therefore, they have the strictest rules. So prior to GDPR, every country kind of had their own DPA’s (Data Protection Authorities)
4. WHERE is it? It’s for the EU but it effects anyone who does business / could potentially collect any kind of personal data from EU citizens.
5. WHO does it effect? Anyone who sells to, targets or could come across personal data from EU citizens. EU = 26 countries. Currently includes the UK. Once Brexit hits, we hear they will have their own version of GDPR.
6. WHAT does it effect? What does it change? This completely
changes the way data is handled. Everything needs explicit consent
now. We can now only process data we REALLY need! Now you need
legal justification for why that PD is being processed. Will force
us to focus on the critical data (not the nice-to-haves). Hard for
us because we want it all “just in case” – for future segmenting,
etc. We will also have to radically re-engineer our processes for
a. Email Marketing: Your email lists
b. Social Media:
c. Facebook custom audiences: need separate consent form from the individual for their email to be used for promoted social media posts.
d. Requests for data access: people can now request that you give them a full report on any data you have on them at any given time. When, how, to what they consented, plus the data you hold.
e. CRM Platforms (Customer Relationship Management)
7. WHEN is it? Deadline of May 25.
8. WHY should I care?
a. THE NEGATIVE SIDES: The penalties are nothing to laugh at. Fines can go as high as €20M or 4% of global revenue (whichever is higher). So if you end up sending emails without appropriate consent, guess what happens? You’re going to get fined. Honda and Flybe got fined £83K for the emails they sent back in March 2017. Could cause you to lose customers. Could cause you to lose trust. Consider the cost of obtaining a customer in the first place.
b. THE POSITIVE SIDES: Opportunity for transparency and trust, deepen relationships. Competitive advantage.
9. WHAT should I do?
a. Don’t be slick.
b. Analyze your data collection process: how do you currently obtain consent? “Positive opt-in with CLEAR affirmative action” (no pre-ticked boxes anymore). True opt-ins.
c. People also need the ability to withdraw consent for each distinct processing activity (no blanket consent) – e.g. email signup forms that pre-tick everything.
d. Can’t make people do it before they’re able to receive your service / product (unless it’s a newsletter).
e. No grandfathering: applies to ALL personal data you currently have, not just data obtained after May 25.
f. Provide clarity: Give as much detail as possible on what their data will be processed FOR and WHO will be processing it. Clearly communicate to your audience about this. What’s happening with their data – when, how? Tell them what you’re collecting, that you’re going to protect their data and do what you say you’re going to do.
g. Have a response plan & proactive plan: speed matters. Prepared comms ready to go.