The General Data Protection Regulation (GDPR) is new legislation enacted by the EU Parliament to give EU residents more control over their personal data. The deadline for full compliance is May 25, 2018. This regulation creates challenging hurdles for marketers. While we’re working toward addressing our relevant obligations under the GDPR, we’ve had lots of questions. That made us think … wouldn’t it be nice if we share as we learn?
More Data Protection Regulation: Why?
In 1995, the EU enacted the Data Protection Directive to guarantee EU residents’ right to privacy, but a lot has changed since then, including widespread internet access, mobile phones, digital record-keeping and social media. The 1995 directive also allowed the EU Member States to tweak the legislation and create their own regulatory authorities, so there are inconsistencies, causing increased confusion and making the law difficult to enforce. We’ll talk about this a little later, but one outcome of this new law and its implementation strategy will be a reduction of inconsistencies. A
press release by the Economic Commission explains the GDPR goals as “reinforcing individuals' rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards.” Some benefits to EU residents include:
- The “right to be forgotten,” sometimes called the right to erasure. Under this legislation, EU residents can withdraw consent for their personal data to be used and can request that their data be deleted. The law requires companies to get explicit permission to process data, from cookies and IP addresses to phone numbers and DNA.
- Easier access to personal data. Under GDPR, EU residents have the right to know how their data is being used. It also makes it easier for individuals to transmit data between service providers.
- The right to know when your information has been compromised. Companies who collect data about EU residents must notify the authorities and subjects of the data breach as soon as possible.
- Data protection by default and design. Privacy-friendly default settings must be baked in during development of products and services – think of your email opt-in, mobile apps and social media settings.
- Penalties for companies that don’t comply. Non-compliance could result in penalties of up to 4% of the offending organization’s worldwide annual revenue.
What Data is Covered by the GDPR Legislation?
Any information that can be used to identify a covered individual, including:
- Unique identifiers, such as social insurance account numbers.
- Location data that can be used to pinpoint an individual.
- Email address, phone number and other contact information.
- Characteristics specific to an individual, such as political opinions, religion and physical details.
- Specific categories of data, such as genetic and biometric information.
When you first start thinking through your compliance efforts, you’ll have to make decisions. For example, how are you growing your email list? When a customer enters their email address to sign up for a contest, do you automatically add them to your list? By May 2018, commerce marketers must collect affirmative consent from EU residents, that is “freely given, specific, informed and unambiguous” to be compliant with GDPR. We already deploy emails on your behalf to your opted-in subscribers, but the new regulation may require even more transparency about what your readers are subscribing to. We’re looking at this as a customer-first approach – and we think that’s a good thing.
Which Companies Must be GDPR Compliant?
Here’s the basic breakdown: All companies that offer goods and services to EU residents or monitor the behavior of EU residents (whether the residents are EU citizens or not) must comply with relevant obligations under the GDPR.
What are the Benefits to Marketers?
Hopefully, it will bring simplification. Today, each of the 28 EU Member States has its own interpretation of the 1995 Data Protection Directive and its own supervisory authority. In May of next year, there will be one law and one regulatory authority in the EU on data protection. This new approach means more consistent requirements and less red tape. But it requires a lot more documentation. Though it’s a challenge at first, the documentation will help many companies confirm their privacy and security practices that will now be subject to significant fines if not implemented per the GDPR requirements.
What Does That Mean for Bronto?
Although Bronto is headquartered in the US, some of our customers are based in the EU and many others have retail customers in the EU. That means the data we collect to help us run our business and the data our customers send and receive through the Bronto Marketing Platform may be within the scope of the GDPR. We’re in the assessment phase right now. During this phase, all departments are reviewing our data handling practices and processes, including itemizing the types of data we collect, the types of data we are processing for our customers, what the data is used for and what security measures are in place. In a way, GDPR is requiring companies to have a customer-first approach when collecting data. We have always put customers first, and we’ve always been proud of our data security standards and our stance on only emailing opted-in subscribers. During the coming months, we will continue to evaluate everything we do to help ensure that we provide features and tools designed to enhance your ability to comply with your obligations under the GDPR. We’ve got a lot of work yet to do, and we’ve got a lot of help. As part of Oracle, our efforts are part of the larger Oracle compliance process, giving us the expertise and strength of an expansive enterprise-wide privacy and data protection program. I’m sure you still have lots of questions. And we want to help as much as possible, so, while we can’t tell you what you need to do in your compliance efforts, we can answer general questions about what Bronto is doing and point you to resources that may help you in your quest. As a start on those resources, check out:
- Full text of the General Data Protection Regulation (GDPR) legislation.
- The DMA’s library of GDPR resources.
- The European Commission’s Q & A about GDPR.
- ICO (Information Commissioner’s Office, UK) paper on 12 Steps to Take Now.