Editor’s Note: This week, I received an email from one of my wearable device companies. Screenshot below. The name of the organization has been erased.
Sadly, I’ve never lived in the EU. Heck, I haven’t even been in the EU within the last year. So, why did I get this? One reason may be their data is wrong and I’m somehow tagged as an EU citizen, but I doubt it. I think it’s more likely that last week, in preparation for the GDPR rollout, there was a final review meeting. Here’s my vision of how that went…
Legal counsel: “Hey, CMO, are you absolutely certain we are in compliance?
CMO: deep breath “We have done everything we know to do to be in compliance at this time…..”
Legal Counsel: “Are you kidding me? [Insert 100 pointed, drill down questions here.] The fines on this thing are somewhere around 23 million dollars! That’s it — make everyone opt-in again!
So, the CMO, head hung low, went back and said, “Just send everyone a peppy little note about how we want to keep emailing them and we’ll deal with the attrition later.
If you’re like many US-based companies, the majority of your accounts are based here and you have a small segment of business overseas. Multi-national companies with global business have (for the most part) already adapted and implemented plans to comply with the new GDPR regulations. However, many companies are “hoping” their email company has “got them covered”. Unfortunately, that won’t quite do it. We have some data that belongs to overseas accounts and have compiled this information for our own use. We’re sharing it here, but do not hold ourselves as legal experts. Seek your own legal counsel to ensure you are in compliance with GDPR.
That said, here’s what we’re doing:
Our View of the Most Important FAQs about GDPR
We are not legal consultants and we strongly recommend that if you plan to hold the data of or contact anyone governed by the EU, that you consult with your own legal counsel before enacting any new policies.
What is it?
In a nutshell, GDPR is a regulation applying to companies marketing products or monitoring the behavior of citizens of the EU regarding protection and privacy of their personal data rights. It carries very stiff penalties for non-compliance. Read the regulation or watch this thorough explanation on Hubspot. Overall, the GDPR will affect transparency and accountability rules your organization must obtain to remain in compliance.
The GDPR affects:
Consent
The data controller (your organization) must ENSURE (which means be able to prove) that the individual has given consent. You must prove consent was freely given, for a specific type of communication and is unambiguous. You must have clearly stated how you will use their information and get a clear, affirmative action giving you consent. In other words, you can’t check the box for them and ask them to “uncheck” if they don’t want to participate. Rather, you must ask them to opt into your specific program.
Individual's Rights
Data subjects have two new rights. The right to be forgotten (which means Data Controllers (your organization) must alert downstream recipients of deletion requests from the data subject. And, the right of Data Portability which means data subjects can demand their data be shared with them in a common format.
Internal Procedures
Review your internal data procedures and update your legal and security documentation. You’re going to need a Data Privacy Impact Assessment in place.
Supervisory Authorities
One-stop-shop organizations, with offices in multiple member states, may liaise with one “lead authority” as the central point of enforcement.
Reporting Obligations
Many new reporting requirements, but the biggest is that a breach must be reported in 72 hours. (No more of this “XYZ company reports they experienced a data breach in October of last year”.) You’ve got 72 hours to break the bad news.
Territorial Scope
If you market products or monitor the behavior of citizens in the EU, the GDPR applies. Accountability Companies must be able to DEMONSTRATE (not just state) their compliance. Document, document, document — staff training on written procedures to ensure and enforce compliance. Penalties 20 million euros or up to 4% of global annual revenue — whichever is greater. Todays value of a 20 million euros is $23,452,020.00!
GDPR creates a prime opportunity for organizations: opted-in consumers offer brands the chance to create a more personalized customer experience with targeted offers, deals, and coupons that are most relevant to them. This ultimately should improve trust and provide better transparency between the brand and their customers.
We may not be lawyers but you can contact us for help segmenting and data management!
GDPR Links
A Great 10 minute video on what it is and what you need to do. Action plan included.
The wikipedia post of the GDPR Regulation
New MailChimp Tools to Help with the GDPR
GDPR Tools are Here: Updated Forms, Improved Contact Management, and More