This article was developed from a presentation given during Social Media Day on June 23, 2018. We’ve made the original presentation slides available, along with every other presentation given that day.
OK, so maybe the title is a bit dramatic. Non-compliance to GDPR standards won’t cost you your life, but it could cost you a fortune.
Good job, GDPR. In your effort to cut down the amount of spam people got you triggered a tidal wave of it.
But out of all of those emails, how many actually explained what the hell the GDPR is? Rally’s got your back.
What is the GDPR?
GDPR stands for the General Data Protection Regulation. It gives EU citizens stronger rights to their personal data and unifies the law across all states in the union.
It’s the REMIX to the Data Protection Act of 1998, which attempted to do much the same. But that was 20 years ago (gag) and they did not anticipate the rise of social media and the sheer amount of customer data businesses would be able to acquire.
Who Does it Apply To?
Not just companies in the EU! The regulation applies to every business that collects any data on citizens of the EU. This is more businesses than you would think.
I ran an Analytics report for all 72 Rally Marketing clients. Every single one of them showed site visits coming from at least one state in the European Union – often multiple states.
If you haven’t taken the steps to comply to the regulation, you are at risk of being fined millions.
But you don’t store any of that data yourself, right? That’s up to the Googles and the MailChimps and the Facebooks!
Not quite. There are two different types of data handlers under the new regulation. One of them is your company.
Data Controllers vs. Data Processors
A Data Controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.” While a Data Processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller.”
In other words, your company collects email addresses from current and potential customers for the purpose of sending them newsletters through MailChimp. Your company is the data controller and MailChimp is the data processor.
Elements of GDPR Compliance
1. Obtaining Consent
This is pretty ironic considering the GDPR itself is 119 pages full of hard to understand legal jargon.
2. Timely Breach Notification
Data processors have 72 hours to notify all affected individuals and data controllers in the event of a data breach. Failure to do so will result in the highest penalty allowed by the regulation – “up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.”
3. Right to Data Access
Any EU citizen has the right request their full data profile and you must be the one to provide a free electronic copy of all data your company has collected on them. You must also detail how you are using that data. Failure to do so can result in the lower penalty of “up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher.”
4. Right to Be Forgotten
This is also known as the right to data deletion. Once you have used the customer’s data for its intended purpose, they have the right to request that you completely erase their data. Failure to do so may result in the lower penalty.
5. Data Portability
This gives users the right to their own data, including getting their data from the controller and using it in however they see fit, including taking it to another company. Failure to comply falls under the lower penalty.
6. Privacy by Design
This dictates that companies must build their systems with proper security and compliance in place from the start. This is also a lower level offense if not compliant.
7. The Hiring of Data Protection Officers
In some cases, companies will be required to hire a Data Protection Officer (DPO). This mainly applies to companies in the public sector and companies that are large in size or process large amounts of data. This does not apply to your regular small business.
How to Make Your Website GDPR Compliant
Update Your Contact Forms – Justify why you are collecting their data. For example, you need their name and email address in order to get in touch with them upon submission of a contact request.
Spell it out directly above the form. Include a checkbox that indicates they accept your ToS. Opting in to further marketing requires a separate checkbox. Neither can be automatically checked.
Email Marketing – Do not send any unsolicited marketing emails, especially if you have purchased the list from another company. There are other ways you can use this data, such as with Facebook Lookalike audiences for ad targeting.
If you have an existing list, you are encouraged to send an opt-in email to each person. This ensures they want to be contacted and further protects your company. You will lose a few subscribers but they likely weren’t very engaged to begin with.
You also must make it easy for users to unsubscribe.
Create Processes for Handling Customer Data – Have a clearly-defined process in place in the event that someone requests to see their data and make sure every member of your staff knows what to do. Create an easy way for them to request this information on your site.
It is also your responsibility to ensure the data processors your company uses are compliant.
So Now What?
Embrace the GDPR. While it is not a regulation in the US yet, it is looked upon as the gold standard. If other countries were to implement something similar, it likely wouldn’t be that different.
Plus, your company probably already falls under its umbrella. Sure, you could simply block all site visits from EU member states like the L.A. Times and the Arizona Daily Sun. As more Cambridge Analytica scandals hit the news, it’s likely you’re going to be complying sooner rather than later.