What is GDPR – And What Can Marketers Do to be in Compliance in 2018?
Everyone is talking about the GDPR – and for good reason. As of May 25th, 2018, GDPR (General Data Protection Regulation) became law for anyone doing business in the EU.
And before you ask, no, it doesn’t matter if your company is based there or not.
If there is any possibility (no matter how remote) that you may someday do business with an EU citizen, you need to be compliant.
If you’re confused by the entire thing, you’re not alone – many marketers aren’t really clear on what they can and can’t do. In fact, most of them don’t even know what “GDPR” stands for.
But it’s not their fault – most of the available information is super confusing at best, indecipherable at worst (and with 11 chapters and literally hundreds of pages, the actual document is virtually unreadable).
Unless you’re a lawyer, it’s hard to make sense of the lingo (disclaimer: I’m not a lawyer – the guide my team and I prepared for you here is to help you work through the chaos).
As a marketer, you probably use a lot of external tools. From landing pages, to lead magnets, to conversion optimization, you may be wondering what is affected.
The simple answer? Everything.
The real question is: How do you become GPDR compliant? Do you need pop-ups? Double opt-ins? Are you even allowed to send marketing emails at all? And what happens if you don’t comply?
[wufoo username=”petovera” formhash=”qj6nvjc0ir3vla” autoresize=”true” height=”260″ header=”show” ssl=”true”]
So… What Exactly is GDPR?
I think we need to start out by discussing what GDPR is. Here are the basics:
- GDPR protects all individuals within the combined European Union and European Economic Area (an agreement combining the EU, plus Liechtenstein, Norway, and Iceland, into an internal market)
- It provides regulation governing data protection and privacy, as well as data exported outside of the EU
- There is a sub-law called ePrivacy Regulations, which kind of expands on GDPR in greater detail
- Each European country can customize the law as is suited to them
- The regulation differs depending on whether you’re a data controller or a data processor
- It went into effect on May 25th, 2018
- ANYONE who does business with even one EU citizen is subject to the regulation
- It’s retroactive – meaning it applies to any data that you’ve already collected, no matter how old it is
- Hefty fines are promised in exchange for non-compliance (up to $24 million or 4% of your total annual sales!)
In a nutshell, the main goal of the regulation is to give EU citizens control over their own information. Whether or not it will make business more difficult, I think we can all agree that this was a long time coming.
As Sam Hurley (ranked as a top digital influencer by Webinale) says, GDPR “primarily enforces what should have been requested in the first place: permission”.
I don’t personally agree with that because overall, this law is a burden on companies like your’s and mine, hurts people’s user experience, and will NOT necessarily lead better security or companies not trading your data for marketing purposes.
If you don’t believe me, look no further than the annoying pop-ups on so. many. websites. today. Telling you they use tracking cookies (duh) and the way businesses are sending out email notices.
The intentions are noble, but it is poorly implemented and enforcement is unclear.
What constitutes Personal Data?
Part of why the regulation can be so confusing is there is no universal definition for what “personal data” is. Each country in the EU has their own characterization of what qualifies.
For our purposes, we will refer to the UK’s Data Protection Act (DPA), as it serves up a good basic definition. According to the DPA:
“personal data’ means any information relating to an identified or identifiablenatural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
- Legal name or pseudonym
- Email address
- IP address
- Religious preference
- Ethnic background
- Sexual orientation
- Health records
- Criminal record
- Political affiliation
- …and much more
How Is “Consent” Defined?
Gone are the days of bundled consent and “third party” sharing.
The GDPR says, “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”.
In layman’s terms: you need to be clear on exactly what information you are collecting and what you are using it for.
Don’t allow room for interpretation: be specific and clear, and no one will later be able to say, “but I didn’t know they were going to (fill in the blank)”.
Here’s what you can’t do:
- Bundle consent – “by receiving this free PDF, you agree to receive my email newsletter” won’t fly anymore
- • Offer third-party consent – “I’d like to receive info on your company and from interested third-party retailers”is a no-go (unless you specifically name the third party, and provide a separate checkbox)
- Take names for an email list, and then send them postal mail or call them on the phone – you’d need consent for each of those contact methods, individually
- Offer a pre-checked “I consent” or “sign-up” box – the user needs to manually check that box on their own
- Have users check an “I don’t want to receive updates” box, or something similar – that’s an opt-out, not an opt-in
- Send someone an email just because they’ve done business with you in the past. Even if they verbally told you they’d like to receive more information – and they posted about how much they love you all over Facebook. Legitimate interest is a thing – but it’s reaaaaal shady. Bottom line: it’s not worth the risk. Get written consent.
What About Opt-Outs?
Basically, you need to make it just as easy for people to opt-out of your list as it is to opt-in.
If someone decides that they no longer want your emails, you need to remove them – and all their data – from your system within 30 days. And that doesn’t just mean taking their email off your list – it means entirely scrubbing your system of any information you’ve collected on them.
Oh, yeah. And if you shared that information with third parties, you have to make sure they get rid of it, too.
What’s The Difference Between A Data “Controller” And A Data “Processor”?
- Data Controller: The entity that is responsible for the storage and use of personal data.
- Data Processor: The entity that processes data on behalf of the data controller (but does not exercise responsibility or control over it).
- You can be both a controller and processor, so be clear on which regulations apply to you!
As an example: If you were to run a paid ad on Facebook using data that was collected by them (such as birthdate, education, salary, etc.), Facebook would be the controller. They collected the data, and it is on them to make sure it is compliant.
If, however, you ran an ad based on information you collected (such as your mailing list or people who have visited your website), then you are the controller, and it is your responsibility to be compliant.
What’s Up With That ePrivacy Regulation You Mentioned?
This could be an entire article unto itself, but in general, the ePrivacy Regulation also covers the processing of personal data.
The important thing to know is, in the case of conflicting information, the ePrivacy Regulation supersedes the GDPR.
(It’s complicated and annoying, I know… But getting compliant is easier than you think.)
What Do We Need to Do About It?
I think it would be fair to say that the rules are unclear. There’s a lot of grey area, particularly regarding “legitimate interests”.
If nothing else, remember this: GET CONSENT. ALWAYS.
Will I Be Fined?
So, how will GDPR be enforced the US?
The short answer: no one really knows for sure.
Article after article mentions the potential €20 million Euro fine ($24 million US), but no one says exactly how or when that will be imposed.
For now, it seems that if a business has a physical presence in the EU, GDPR can be enforced directly against them. For all those not in the EU (like any business that operates exclusively online), things are a little less clear.
(I’m not a lawyer, but I predict this law will eventually fade into the realm of the CAN-SPAM law, where it is selectively enforced because — despite noble intentions — there’s no clear way to enforce it universally. Most businesses will never have an issue and be “compliant enough.”)
Essentially, enforcing the regulation would rely on international law. As of now, there are no negotiated mechanisms in place for enforcing fines – so it would really come down to the potential cooperation between the US and the EU.
Is Any Of This Really Worth It?
If you’re like most other business owners, you’re probably wondering, “Do I really need to do something that is going to cost me sales, or at the very least, my time?”
Well, that depends.
As we said – whether the fines will be enforced is totally up in the air right now. But is it worth the risk? Probably not.
When it comes down to it, this is where all privacy laws are probably heading anyway.
It’s only a matter of time before we have similar legislation in the U.S. — and I think most legitimate marketers are against the sort of behavior this is cracking down on anyway (buying generic lists, collecting cookies on the sly, and sending spammy emails, to name a few).
Yes, this is going to take some time and effort on your part. I like that fact as much as you.
Frankly, it will probably hurt your conversion rate.
The upside though is you’ll have a stronger list of people who are genuinely interested in your product (and not just that free PDF you were giving away).
Complying with GDPR isn’t as complex as people make it out to be.
Pro: It creates increased trust between you and your audience and leads to a better list – no more wasting time on people who don’t actually want your emails.
Con: The procedures are tedious to implement, but not difficult.
Luckily, every business will have to abide by the same set of rules (theoretically), which helps even out the playing field.
To sum it up:
- GDPR applies to all your data – even if you obtained it prior to May 25th, or you’ve had it for the last ten years, or it was gifted to you directly by the Queen herself.
- Consent needs to be clear and concise – no beating around the bush about what you’re going to do with their data.
- If you want permission for three different things, you need three different checkboxes. For example: 1) I give you permission to add me to your email marketing list, 2) I give you permission to send me discount codes for xx product, 3) I give you permission to share my information with xx company.
- If someone wants off your list, take them off your list. Don’t make it difficult.
- It doesn’t matter if your business isn’t based in the EU – the rules still apply.
I’ll leave you with this thought: you are a marketer.
Marketing is about finding a niche and creating buzz around your product. There is always going to be some new development, some issue, which is threatening to throw a wrench in the gears – but you need to figure out how to work around it.
You’ve always done that in the past, right?
So, how do you feel like GDPR is going to affect your business? Have you noticed a negative impact already?
Comment below and let us know what changes you’ve had to make, and how it’s affecting your sales funnel.
Keep Hustlin’, Stay Focused,