With that in mind, Europe is preparing to implement the largest adjustment in data-protection law in the last 20 years – the General Data Protection Regulation (GDPR). GDPR comes into effect on May 25, 2018. This regulation initially impacts European Union member countries, and aims to protect people from companies selling personal data. The regulations state individuals must be informed about their rights and know how to object to the processing of their personal data.
To be clear, personally identifiable information (PII) is any data that identifies a specific individual. The GDPR regulations applies to any information relating to an identified or identifiable living person, directly or indirectly. An IP address, certain cookie data and geolocation can be classed as personal data under the GDPR. Additionally, browsing behavior collected to create a profile will also be considered personal data.
If organizations fail to comply with the new regulations, they risk major fines of up to four percent of annual worldwide revenue or over 20 million euros – whichever is a greater value. The fines stand as a strong ‘stick’ to control the use and processing of data in Europe.
However, this will have a major impact in US markets, particularly as many US organizations have international operations.
Global operating companies – even those without an EU presence – now must enforce GDPR if their EU customers’ personal data might be affected, or if their behavior is monitored, which is a substantial number of companies. In other words, the GDPR will become a global privacy legislation, and any business processing the data of EU citizens may be required to appoint a Data Protection Officer.
Here are three things US marketers and advertisers need to consider to ensure their organizations adhere to the new, evolving data standards.
Reflect on Data Aggregation and Treatment
Every marketer needs to reflect their interactions and usage of first- and third-party data. Most importantly, marketers need to analyse the types of data their organizations process. This might initially seem daunting, but an efficient method for this is to start a GDPR task force to implement procedures and processes.
Additionally, US organizations should create and maintain a record of all data processing initiatives, and define the purposes of them. In the record, be sure to segment the various types of data collected, if the data has been transferred to other countries, the time limits for deletion and a general description of technical and organizational security measures.
Beware of Third Party Suppliers
Do you have a data processing agreement in place for every third-party processing data on your behalf? Review which suppliers you use and if you have an agreement in place. If that’s not the case, you need to get data processing agreements set up before May 2018. Regarding consumer consents, the GDPR says consent will only be given for certain data processing by a clearly identified person or party. Using unspecified third parties will result in invalid consent, so beware of this.
Rest Assured That Your Existing Data is Safe
If data already obtained was obtained lawfully, under the current directive, companies can continue using it. Also, if individuals’ consents were given under this directive, they will not necessarily be invalid. The GDPR states that consents do not need to be obtained again or confirmed by consumers, provided they conform to the GDPR requirements.
The EU clearly states the enforcement date of the GDPR is May 25, 2018 – this is critical as those organizations failing to comply will face heavy fines. Early adopters will be positioned for long-term data-regulation success, and ensure a more transparent and thoughtful marketing industry is developed. Don’t fall behind, prepare for data law changes now.