Disclaimer: This blog post is not an authoritative source on GDPR or data privacy in general. It should not be relied upon as legal advice for any company to use in complying with data privacy laws like GDPR. It is simply meant to inform readers about WSOL's position on GDPR and provide some background to better understand how your business may be impacted. We recommend that any organization seeking advice on how their business practices need to adapt to GDPR, or any privacy laws, consult an attorney specializing in data privacy regulations.
General Data Protection Regulations (GDPR) is almost here! Are you prepared? Or maybe a better question is, do you even know what GDPR is and whether or not it applies to you? If you're like most Americans, the answer is probably "no." However, if you are involved with marketing and data collection, this new set of privacy regulations does apply to your company. As a consumer, unless you're a citizen of the EU you won't be impacted yet, but it does signify a major change in thought and policy about personal data privacy and the rights of consumers, and will in all likelihood influence future U.S. regulations. Let's start with some background.
What is GDPR?
The General Data Protection Regulations (GDPR) is a set of regulations soon to be enacted by the European Union which moves ownership of personal data to EU consumers and away from companies that collect, store and sell that data for various purposes. In other words, the GDPR states that private individuals have complete control as to when, where, why and how their personal data is collected and used, not companies. The regulation is set to go into effect on May 25, 2018.
Why is this important?
Do you value your privacy? If so, then this is an important set of regulations. As evidenced by the recent scandal involving Facebook and the illicit transfer of user data to Cambridge Analytica for unsolicited political ad targeting, legislators are beginning to take notice of how personal data is used (or misused in this case).
Basically, every time you submit information online about yourself, either knowingly (through a registration or a purchase) or through automated means that collect information about you without your knowledge, that data can be used for any number of reasons to benefit the company that collected it including targeting you with ads, selling your data to third parties or building an online profile about you for future use. If you are like most people with an active online lifestyle, you've noticed the steady rise of personalized ads that seemingly follow you to any website you visit, not to mention losing the battle against spam filling your inbox.
Your data is a valuable commodity that numerous companies have figured out how to exploit, usually benevolently, but also too often to your detriment. Identify theft and fraudulent financial transactions are all too frequent occurrences that rise from the lack of data privacy and security today.
Aren't there already regulations about this?
Sort of. In 2003, the U.S. Congress passed the CAN-SPAM Act. This law was meant to protect consumers from unwanted advertising and placed restrictions on how companies managed personal data. However, there is a fundamental difference between the approaches CAN-SPAM and GDPR take. CAN-SPAM was an effort to combat data misuse by targeting the primary symptom: too much spam. It gave consumers the right to opt-out of future advertising and required companies to disclose how your data could be used. That's why most spam messages you get today have an "unsubscribe" link or something similar in the fine print that theoretically allows you to remove yourself from that email list. As you well know by now however, this hasn't really done anything to reduce the amount of spam. If anything, it has continued to increase. That is partly because there is nothing in CAN-SPAM that allows you to control your data once it is provided to a third party. It can be sold, resold and spread throughout cyberspace without your explicit knowledge or approval.
GDPR addresses this by going after the root cause of data misuse: the lack of consumer control of their own data. Rather that granting companies the right to manage data however they want with only an opt-out allowance for the consumer, GDPR ensures that consumers maintain complete control of their data and are clearly informed about the data being collected and for what purpose. Once collected, the consumers maintain control and change or delete their data any time.
There are also strict regulations surrounding data security, storage durations limitations, and data access provisions meant to protect your data from theft or unintentional disclosure to third parties. The Payment Card Industry (PCI) standards were created specifically for securing financial transactions, but they are very limited in scope and do not protect most forms of consumer data. The complete set of GDPR regulations is complex and lengthy, but the overall goal is to once and for all ensure privacy of consumer data.
Does it apply to the U.S.?
While GDPR is a European Union set of regulations, it does not limit prosecution to European companies only. Basically, if any organization collects and stores data on EU citizens, knowingly or not, they are bound by the regulations. This includes a wide array of U.S. companies. And the penalties for violation are steep - companies who are found to violate any provisions of GDPR face fines of up to 4% of gross annual revenue or 20 million Euros, whichever is greater. That is no joke and all companies should take notice.
Will spam disappear after GDPR?
No. Even if the U.S. fully adopts regulations similar to GDPR, there are still a wide variety of bad actors that flout the laws and will continue to do so. You will probably still hear from that Nigerian prince who needs your help moving his money. However, the overall volume should be reduced which should provide legitimate marketing more breathing room. Rather than being lost in the noise, legitimate marketing messages should have a better chance of hitting their mark.
Are there other potential benefits to marketers?
While these regulations may appear to tie the hands of marketers, they may actually be doing them a favor. The goal of any good marketer is to get the right message in front of the right set of eyes at the right time. GDPR provides a framework that will force marketers to focus their efforts on identifying consumers that are truly interested in their product or service and are actively seeking more information. When your marketing contact list is filled with people who have explicitly asked to be contacted, the rate of sales success should be significantly increased. As our friends as HubSpot stated,
"Be relevant, be helpful, be transparent, and you’ll be on your way to compliance. Be spammy, interruptive, aggressive, and you’ll be in trouble."
In other words, good marketing methods should already lend themselves to compliance. GDPR is a shove in the right direction to make sure marketing is a valued service, not a annoying nuisance.
What is WSOL doing to prepare?
While we don't actively market to EU citizens, we are nonetheless taking steps to ensure our data collection and management methods match GDPR specifications. We are in the process of updating our online forms, privacy disclosures and data management policies to ensure we are in compliance and ready for any future policy changes.
What are our partners doing to prepare?
Our primary technology partners, HubSpot and Episerver, clearly have a significant interest in GDPR compliance as these platforms are used worldwide and tie directly into the regulations' key provisions. For more information on their stances, please refer to the following links:
Where can I get more information about GDPR?
While there are numerous online resources available, here are some we found useful:
http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf (this is the actual text of the regulation, if you're so inclined).
GDPR will introduce a major shift in the way marketers do business. For the most part, this should benefit consumers and companies alike. But it also means rethinking current practices, understanding the types of data we collect and most importantly, putting the consumer at the forefront of our consideration, where they belong. While the final scope and impact is yet to be seen, GDPR in all likelihood is the first major step in a new way privacy is defined and managed in our increasingly digital world.