You’ve probably noticed an influx of emails flooding your inbox with privacy policy updates and requests to renew your opt-ins or subscriptions to newsletters, social sites or promotional materials. GDPR is the reason for this, and the acronym may be familiar to you at this point. But, what exactly does it all mean?
Your company has hopefully had some discussions about what you need to do regarding the new privacy regulations and how much it affects you and your customers. If you haven’t started, now is the time since the law went into effect on May 25, 2018. As we developed our plan for compliance, a few questions kept popping up both internally and with our clients. Here are some answers we think may be helpful in sorting out what steps you need to take to ensure you’re compliant.
What is GDPR?
This one you may already know the answer to, but just in case, GDPR stands for General Data Protection Regulation (GDPR), and it replaces an older data protection regulation in the European Union. This new regulation was designed to make data privacy laws across Europe universal while protecting all EU citizens’ data privacy.
It sets forth newer rules and regulations on how personal information can be gathered, stored and shared. It also outlines what customers need to be told with regard to who their information is being shared with, such as advertisers or third-party vendors.
The primary areas of focus are:
- Consent – getting the consumer’s permission to collect their personal data and being very specific and transparent about how it will be used
- Portability – giving the consumer their data if they request it
- Restriction of processing – discontinuing the processing of the consumer’s data if they request it
- Security – preventing unauthorized access to the consumer’s data
- Right to be forgotten – deleting the consumer’s data if they request it
- Accountability – explaining your data protection policies to the consumer
Is it something I need to worry about?
Yes. You have an obligation to handle data securely and inform your customers how their information is being used. This regulation protects all European citizens, including those living in other countries such as the United States, so you likely have someone on your contact list or visiting your website who is covered by GDPR. If your data is at risk and a breach occurs, you can face steep fines. Plus, these types of increased regulations are likely to come to the U.S. sooner than marketers think. Consumers want to know where their information is going and that it’s secure in case of a hack, and lawmakers are taking notice.
We’re a smaller organization and can’t afford what the “bigger companies” have. What are some of the most important places to start?
Start by understanding where you have gaps in your security risk profile. This will likely include auditing, classifying and ultimately monitoring your data. It’s important that you have a clear picture of the data you collect and use, as well as how it’s stored, how it flows in and out of your organization, who has access and the security measures in place at each point. You may want to consider automated technology to streamline this effort. You’ll find this approach will go a long way towards making you GDPR compliant.
Also critically important are employee training and company culture around personal information security. This often requires a mindset shift across your organization, from the top down. Employees need to know their company puts a high value on the safety of their clients’ information. They handle the data on a daily basis and should be properly trained on how to send and store information.
I’ve heard this will take a substantial investment. Is that true?
It’s quite possible, but organizations need to think about this as a long-term investment to avoid heavy fines in case of a breach or other problems.
The extent of the cost for most companies will be determined based on risk prioritization and mitigation. The systems needed to properly share, and store information is a critical piece. You then need to consider the cost of sending email updates to customers, updating privacy statements online and the man hours required to train employees. Overall, the investment could be substantial for many companies, but as a result you’ll be prepared, and your business risk will be reduced.
How do we manage this over time? Whose job is this anyway?
You’ll want to determine whether you need to establish a Data Protection Officer (DPO) role within your company. According to the regulation, a DPO may be required if you meet certain criteria, including if you regularly monitor data subjects or you process large amounts of personal data. This person should be the point person for all data security efforts. They’ll be establishing processes as well as conducting training and auditing going forward. They’ll need to be well versed on what’s required of your company by GDPR and any new regulations that come up in the future. This will ensure your hard work doesn’t go to waste in a few months when the newly established processes stop being followed.
You should also consider hiring a consultant to help you navigate your steps to compliance. An expert who can dive into the needs of your organization can set you on a path for success. Your legal team can also play a critical role by ensuring you have the right language across your privacy policy, consent forms, terms and conditions and contracts.
I’m not an IT person. How do I talk to those guys?
While you and your employees are likely the users of your marketing technology systems, data, and business processes, your IT team can help ensure your data is stored and transferred with the utmost security. They can help you “wall off” certain data sources and update permissions to only allow those who need access to sensitive information.
Sit down with your IT team and be clear and honest about what your end goals are. You should have a list of items that are most important or easiest to implement and who will be handling what portion of each effort. It can be a bit daunting when you first look into GDPR changes, but once you take the time to prioritize what needs done, your work with your IT staff should be less intimidating.
What’s Simantel’s stance on GDPR?
Simantel began taking steps to establish information security enhancements 18 months ago as a preemptive effort to remain complaint, as well as to protect our clients and their contacts and customers. We believe in the need for better information security and have worked to stay ahead of the game. According to eMarketer, over 79 percent of IT professionals state their companies were compromised by a cyberattack in 2017. And, due in large part to this, 70 percent of consumers have experienced a decrease in trust levels when it comes to digital platforms.
Building trust and goodwill with your customers and protecting their privacy is a critical part of a strong brand. And this is just one more way to follow through on a brand promise by delivering the consistent experience customers expect.
As a person, this seems like a good thing, but is it good as a marketer?
In the long run, these regulations will be good for everyone involved, including businesses and marketers. Stricter regulations around information security will reduce risk and help to mitigate consumer anger in the case of a breach. A few companies have managed to come back after a security incident, but many have taken massive financial hits through fines or the loss of customers. Putting in the effort now may take some time, but it’s well worth it for everyone in the end.