The EU General Data Protection Regulation (GDPR) kicks in on May 25th, 2018 for all companies processing personal data of citizens in the EU, regardless of where they are based.
This essentially means the majority of marketing organizations across the globe. According to research regarding GDPR compliance and awareness, most US companies are well aware of the GDPR and take the needed steps, while UK firms and companies in some European countries lag behind.
Time to take action
The consequences of serious data breaches or non-compliance with the GDPR, when it becomes enforceable in May 2018, can be high: up to 4% of global annual turnover or €20 Million, whichever is the highest.
With the GDPR, the EU wants one single framework for personal data protection for all EU citizens to create clarity and boost the digital economy. However, for organizations and certainly marketing organizations (and anyone processing customer data) there is a lot of work involved. Therefore, businesses and marketing organizations can’t afford to wait anymore.
While there are clearly benefits regarding the GDPR, there are also many questions. In a position paper, three marketing associations outlined several ones, among others regarding the duty of communicating personal data storage duration.
And things are about to get even harder for marketers. On top of the GDPR (in fact: hand in hand with it) there is also a new ePrivacy Regulation coming, normally around the same time as the GDPR. The draft text is already published and marketing organizations are anything but happy as there are, among others serious consequences, regarding cookies.
8 steps to take now in the context of the GDPR
- Create an awareness plan, including research/advice regarding the consequences for your business and marketing and training of your marketing staff.
- Check if you need a Data Protection Office or DPO. A Data Protection Officer is mandatory for some public authorities but also for companies whose core activities consist of processing operations that require regular and systematic monitoring of data subjects (citizens) on a large scale.
- Conduct an assessment. What data processing activities do you have today (processing is really all actions regarding personal data, including storing and so forth). Check where (customer) data sit, map the risks for your business and personal data breaches, look at existing policies regarding security, privacy and see where there are gaps between your current practices and GDPR requirements.
- Document the gap analysis. Creating a GDPR awareness and training plan, conducting an assessment and performing risk discovery don’t happen in isolation. Look at the specific people and processes involved in marketing but also work with legal, IT, security and others in order to have a clear documented gap analysis covering all processes and gaps.
- Plan. See what needs to be done in order to close the gaps between required practices and actual practices. For instance: how will you deal with requests regarding data access or data erasure (right to be forgotten) and the many other citizen rights in the GDPR? How will you deal with the consent rules?
- Roll out. Take actions to execute the plan and see that all action items are checked. Work with priorities of high risk and lower risk. Make sure you have KPIs.
- Measure, monitor and improve. Once the plan is rolled out measure the several KPIs and keep monitoring and assessing. You’ll have to improve but you’ll also need to keep looking at your customer data practices and at training of new employees, for instance.
- Look at the usage of new technologies. Marketers plan to leverage a bunch of emerging technologies, from predictive analytics and AR/VR to the Internet of Things and robotics in the coming years. And of course we also invest in less recent technologies and marketing tools such as marketing automation. Whatever the technologies or tools: keep in mind that they all need to be included in your GDPR approaches. The Internet of Things is also explicitly mentioned in the draft text of the ePrivacy Regulation. Moreover, there are specfic technological and other aspects you need to know about in the context of the Internet of Things, the GDPR and the ePrivacy Regulation.
Again, it’s a complex matter so make sure you get the right help and support in time. The stakes are too high.