The General Data Protection Regulation (GDPR) is slated to start in May of 2018. It has already been in effect at a transitional level for the past two years, which is why it’s such a hot topic among marketers today – many are worried about the extent to which it could affect digital marketing activities in a negative way. Many businesses are wondering how this set of rules - which essentially have been created to empower consumers to have more control over their data - will be costly to enforce.
Though the intent of the policy is genuine and necessary, the fact that it’s coming into play is also a relevant concern for IT specialists and marketers through the global marketplace. The world of digital marketing is increasingly reliant on collecting personal data for ad targeting, and this could severely impact their capacity to do so. So, does the GDPR have the capacity to affect agencies and businesses worldwide?
The GDPR was created by European governing bodies to ensure that personal data for individuals is protected locally. It also has a set of guidelines about restricting personal data from being exported. The aim is to ensure that citizens are protected and that their data remains under their control to the extent that they are also granted the right to “erasure,” or a withdrawal of consent.
The EU has a commitment to maintaining privacy on user’s personal data, especially in the face of advancements in technology and globalization that are increasingly putting consumers at risk.
The key idea behind the policy and its associated punishments is to encourage trust between technology providers and users. The EU is also committed to having a clear legal framework with which to provide punitive measures to companies and individuals who breach policy.
The GDPR policy defines personal data as individual information that relates to private, public or professional life. This might include photos, names, bank details, medical information, device ID and IP addresses.
One of the ways that the GDPR will be enforced is by being stricter about getting consent from consumers before gaining access to their personal information. In layman's terms, this means that as you spend time on the internet, you’re going to see more things like pop-ups advising you that the site is using cookies.
Another way that businesses can build trust with users is via a consent agreement, a simple example of this is a newsletter signup. This represents a consensual exchange of information that is transparent and of value for both parties.
Because the terms of the GDPR are focused on EU policy, it may seem like US businesses don’t have anything to worry about when it comes to compliance. But the truth is that all digital companies need to be aware of this, since they will likely be dealing with EU customers. If you have customers in the EU, you may collect data from them, and therefore you are subject to the GDPR rules.
It is useful to point out that this policy does only apply if consumers are in the EU at the time of data collection. In addition, it’s important to note that the collections activities don’t have to equate to a financial transaction of any sort. Another important note on this topic is that a breach of it would (typically) involve a targeted approach or attack.
The US sectors most likely to be affected by GDPR are those that have a global scope – so hospitality, travel, SAAS and retail, especially bigger conglomerates, should make an extra effort to ensure that they are compliant.
The GDPR requires that organizations obtain explicit consent from consumers before collecting any personal data. “Explicit consent” means that it must be “freely given, specific, informed and unambiguous,” according to Article 4 of the policy.
How can organizations ensure that they are GDPR compliant? Here are a couple of notes.
These are the standard notices that you read when signing up for most new apps or services. The GDPR declares that these notices must be clear and transparent. So, one thing that companies may have to do is to work on getting these more precise and legible - in other words, it’s important to have it be clear enough to have people read it rather than just offering them a long piece of small-font text and then having them click the “I agree” box.
When creating privacy notices, businesses can consider questions such as the following:
Opt-in marketing is also known as permission marketing, and it involves getting digital marketers to obtain consent from consumers before giving them what equates to targeted material.
Mobile opt-ins operate in a similar way to email signups in that basically businesses will request a person’s email. That particular exchange says that the marketers are allowed to contact the consumer via email about their goods and services. On mobile pages, this might take the form of a radio button or a pop-up screen delineating the terms of service. For instance, an app connected to Facebook asks you to authorize Facebook to use the information that you’re sending to the app.
The opt-in form is standard practice in digital marketing already, but one of the things that’s interesting and useful about the new EU policy (as well as Canadian regulations) is that opt-in forms should offer more details about what types of information can or may be shared. For instance, you’ve probably seen a selection of checkboxes delineating the different ways your email may be used when signing up for a blog or newsletter.
The ICO will be enforcing the GDPR through various sanctions including warnings, bans on data processing, restriction of data and suspending data transfers. Failure to comply with GDPR is punishable by huge fines at the equivalent of up to 4% of their annual turnover or €20 million. A mobile ad company called InMobi was fined almost $1m because they didn’t get proper consent for location information amongst other things.
The ICO will make a decision to penalize based on a number of factors, including the nature of the problem, the intentionality of the action and for mitigating it, previous infringements, the type of data involved, and the way it was discovered.
GDPR is focused on empowering the consumer, granting them more rights (at least in the EU) to things like:
But given that this is still a relatively new policy there will be grey areas to iron out when it comes to how personal data is used. The key thing for companies is that they obtain consent in a detailed and transparent way from the get-go. Furthermore, taking this consent away from companies who are using data should also be a simple and clear step.
One of the concerns about the GDPR is that, in its aim to protect data, it essentially requires that companies track and audit data, possibly costing companies tens of thousands of dollars to enforce the new privacy rules.
For the most part, advertisers aren’t likely to be directly affected by this in the near future. However, it changes the type of data that digital marketers collect from clients, potentially slightly shifting campaign strategies. For marketers, this means that they may not be able to use consumer data for targeted advertising.
The GDPR is an example of a relevant and useful policy for consumer protection. While it may create some complexities for certain businesses, it’s important that business managers and digital leaders not only abide but rules and regulations but incorporate policies internally that support and sustain the same principles to ensure customer protection and loyalty.
Learn the tools and technologies needed to meet the challenges of tomorrow with a Postgraduate Diploma in Digital Marketing. Download a brochure today!