Doesn’t GDPR only apply to Europeans?
The new GDPR law applies to any company currently handling personal data from individuals living in the EU. Even if you don’t directly advertise to Europeans, any personal data you have on them could result in a significant fine.
Alright, and what are the consequences?
Significant. If your company is caught violating the GDPR, you will be fined 4% of your annual global sales or twenty million euros; whichever is the higher amount. Not only that, but you could face substantial consumer backlash and bad media coverage. Europeans care about their online privacy and if you’re caught violating it, that doesn’t look good for the brand.
oh, okay, give me the Gist of this new law then
GDPR is intended to replace out of date laws so that individuals have more control over their personal data. This entails that companies (including those in ad tech and publishing) are required to gain the approval of internet users for the use of their online identifiers (cookies, ad IDs).
Here, it’s important to distinguish between data controllers and data processors. A data controller is the entity that collects data from users whereas a data processor, typically a DMP, takes that collected data and organizes it. The data controller is required to obtain consent from the user and the data processor is required to verify that the controller they are receiving data from is obtaining proper consent as dictated by GDPR. If the data processor has contracted a data subprocessor involved, the data processor must inform the data controller. Some data processors are controllers themselves as they sometimes collect data as well. The line between controller and processor is not completely black and white.
The law essentially demands accountability and transparency in the entire ad supply chain. Here’s six key points.
Clear, transparent consent practices and privacy policies
Consent policies are required to be easy to understand, avoiding legal language the average person doesn’t easily comprehend. The request for consent from the consumer must be given in a straightforward, easy-to-understand fashion that makes its clear that they are consenting to the processing of their data. Additionally, the consumer must be able to withdraw consent at any time.
The right of consumers to access their personal data
Consumers must be able to see their data that is being collected and for what purpose it is being used for. They also have to be able to access their data electronically and be able to give that data to another company if they desire.
The right to be “forgotten”
Any consumer that wishes to have their personal data deleted has the right to demand its deletion and the end of its use altogether. Both companies and third parties must delete and cease using the data if it’s in their possession, including businesses outside the EU as mentioned previously. If a consumer withdraws consent, their data must also be deleted and use of it halted.
Companies must structure new systems and approaches with a privacy-first mentality, not with privacy as an ‘add-on feature’
Companies are required to structure new systems for collecting data with a privacy-first mentality. Any data that is collected, stored, and processed must be necessary to a business and their operations. Personal consumer data that is collected but inessential to your business must be better protected as well.
Companies must alert consumers within 72 hours of a breach taking place
If a data breach has occurred that could result in” a risk for the rights and freedoms of individuals”, consumers must be alerted within 72 hours of when the breach took place. This applies to both those companies collecting and processing data.
Companies must assign a data protection officer
Companies whose core business is to process and collect consumer data must assign a data protection officer. That DPO must be qualified for the position and report to the highest level of management.
Oh god, what do I have to do?
Have you considered panicking? Better yet, here are some concrete steps to take to calm those nerves and put your company on the right track.
Seek Legal Counsel
When dealing with new legislation a lawyer is always handy. Another option is to seek a compliance consultant to ensure you are moving in the right direction.
Conduct a full data mapping
Time to review those logs of where the personal data is processed, stored and moved. Bring a good magnifying glass.
You still have that magnifying glass? All those partnerships of yours need to be reassessed to make sure all parties are compliant with GDPR. Make sure you feed your contract writers well; they will need the energy.
Any data collection policies and procedures must now comply with GDPR requirements. See above.
Honour privacy by design
When designing new programs, marketing, and sales, make sure to include privacy as a fundamental part of the process, not just some addition after development. The people will notice.
How does the industry feel about it?
There are numerous concerns about GDPR’s implementation this May. For instance, smaller companies are having a harder time making the necessary changes as they struggle with the legal costs that don’t quite impact larger companies in the same way. It is no surprise that the larger businesses are much more prepared for GDPR than the smaller ones.
The primary concern for marketers is obtaining consent from consumers. Implementing changes is challenging but the potential loss of valuable data will be a hard pill to swallow for companies.
How much data could we possibly lose?
I’d hate to be the one to tell you but, “75% of customer data could be rendered obsolete by GDPR” according to data marketing firm W8Data. Admittedly, that’s a large piece of the data pie that will be gone overnight.
How many Europeans will opt out of data collection?
According to polls, 6 in 10 internet users in Europe said they would likely opt out of receiving emails, and phone calls from companies, while 59% ask to have their records completely deleted.
Is all lost?
Although there will be short-term pains from a loss of data, the purge will leave marketers with higher quality data. The best consumers are ones that are willing to share their data with a brand. Chasing disinterested consumers can be a big waster of budget dollars. This will put a greater emphasis on first-party data which is the most reliable anyway.
But what about the consumers that don’t want to share their data?
They can’t be targeted via tracking cookies, but they can be reached via contextual targeting. If they’re a sports fan, then you know where they’re likely to be found; a sports website.
The purge of data from consumers opting out may just be a gift in disguise as a burden. That gift being efficacy for marketers.