Most of the information below was found in HubSpot's Create a GDPR Strategy Lesson, as well as other resources, all listed at the bottom of the post for your convenience. This post does not constitute as legal advice and you should always seek legal counsel to see how this regulation will affect your company or organization's specific circumstances.
If your business collects personal data from subscribers, leads, and/or customers, you should have already heard of the General Data Protection Regulation (GDPR) and know that it goes into effect on May 25, 2018. If you haven't heard of the GDPR, read this post to understand the fundamentals and check out the resources to have a better understanding, then contact your legal department to know how this new regulation affects your business, then gather your marketing team and put a plan in place to become compliant with the GDPR.
The GDPR is a regulation by the European Union (EU) to protect the digital personal information of its citizens. HubSpot puts it this way: the GDPR enhances the protection of personal data of EU citizens and increases the obligations on organizations who collect or process personalized data. While most of our audience is in the United States and might not do business directly with countries in the EU, please hear this: The GDPR will affect companies in the US, if they collect personal data of EU citizens, knowingly or not. Companies not compliant with the GDPR that are found to be in violation could face fines up to 20 million euros or 4% of the company's global annual revenue, whichever is greater.
The Foundation of the GDPR
The GDPR is actually replacing an older EU directive called the Data Protective Directive (DPD) that outlined eight principles of how companies and organizations should treat personal data:
- gather and process personal data fairly
- keep personal data for specific purposes
- process personal data only in ways that align with the purposes for which is was given
- keep personal data safe and secure
- keep personal data accurate and up to date
- ensure that the personal data collected in adequate, relevant, and not excessive
- keep the personal data no longer than necessary
- give a copy of personal data on request
The GDPR takes these principles to another level by increasing the responsibility of the company that is receiving the personal data in the following ways:
- consent: the person giving their personal data has consented to give their data for a specific reason; inferred consent is no longer allowed
- individual rights: those giving their personal data have the right to have their data forgotten (deleted) and they have the right to data portability, where they can see what data a company has on them and can take it with them
- internal procedures: companies will need to update their legal security documentation and procedures to make sure that GDPR best practices are put to use
- Privacy by Design: when coming up with new ways to communicate, companies will need to build with the GDPR in mind and will need to do a Data Privacy Impact Assessment to determine the disruption of privacy
- reporting breaches: companies will need to report a breach within 72 hours
- territorial scope: the GDPR is not just for those inside the EU; it is for any company that markets to or monitors the behavior of any EU citizen
- accountability: companies will need to demonstrate compliance, including sufficient training for employees and changes in company-wide measures to ensure compliance
- penalties: as stated earlier, companies could face fines up to 20 million euros or 4% of the company's global annual revenue, whichever is greater
HubSpot offers a few options of how a company could implement compliance in this blog post, but it is by no means the only steps that need to be taken. The post includes adding a consent checkbox to forms, adding a double opt-in, or making the subscription options more readily available. Take a look at the principles outlined above and in the actual GDPR regulation and talk with your team to plan out practical steps your company needs to take for compliance
GDPR Sets a Higher Standard for Marketers
While it might not sound like it, the GDPR actually helps create a higher level of trust between your company and the people it comes in contact with. By adhering to the policies that improve transparency between companies and consumers it should also create a deeper level of trust, with consumers feeling more confident in knowing how their data is being used and that they won't be receiving unnecessary or unapproved communication.
The EU has higher standards than the US when it comes to personal data, and as many companies that communicate with EU citizens update their policies and create more transparency across the board, consumers in the US will grow more accustomed to GDPR best practices and might become wary of those companies who don't meet those elevated standards. So while you might insist that the GDPR doesn't apply to you now, creating a plan to adhere to the GDPR is in your company's best interest long-term: you'll be set for compliance if you ever do obtain information from an EU citizen and you'll create trust between consumers both in the US and abroad.
Check out the resources below to learn more about the GDPR and where to get started as you create your plan to comply by May 25.
General Data Protection Regulation - Wikipedia
Privacy by design - Wikipedia
GDPR Compliance - HubSpot
Data Privacy Resources - HubSpot
Marketo and the GDPR - Marketo
The Biggest Changes Coming with the GDPR - Marketo