The General Data Protection Regulation has just come into effect on 25th May 2018 is a new regulation that effects each and every company or firm that collects and uses data of European citizens. It enables the businesses, from banking to marketing or advertising to change their way of handling consumer data.
The need arises to replace the Data Protection Directive 1995 as there is an inevitable change in the use of the Internet since the mid 90’s. The new regulation leverages more control over the personal data to the citizens of the European Union.
It’s been 4 months since the implementation of the GDPR; still, many businesses around the world are worried about its effects on digital marketing activities. According to the survey, Marketers still do not understand GDPR and its data protection landscape.
It has become the main concern for IT businesses and marketers as it resists them to collect personal data of target customers on which digital marketing is reliant on. GDPR will help the businesses to create data retention policies, specifying the period of retention according to law or regulation which will prevent them from holding onto data for a longer period of time.
This Article focuses on the effect of GDPR on the marketing agencies and businesses worldwide.
GDPR and its effect on Businesses
Data nowadays serves as the base stone of the digital world and acts as a key for running a successful business. GDPR has a set of guidelines about maintaining the privacy of users’ personal data. As known to all, we provide our personal information in one or the other way to the businesses, e.g. to buy things online.
However, the renewed legislation ensures citizens that their personal data remains under their control and is protected. It enforces the small & big companies to restructure their site and update their privacy features that provide more privilege to the customers and their right to know how data is been handled.
This imposes more cost on the companies especially small businesses need to improvise their techniques to collect and handle data of their consumers. In brief, if your businesses process data of EU citizens, whether based in EU or outside, you need to comply with GDPR.
Personal Data classified under the GDPR comprises of Name, Phone number, addresses, banking or financial Information, photos, Medical information or information associated with social media posts.
Cookies play the major role in revolutionizing digital marketing collecting data on visitors’ onsite behavior helped marketers better inform their efforts and tailor marketing messages and entire campaigns based on behavioral analysis. There should be clear, specific and unambiguous consent for cookies on your site.
It also affects the way how you handle your CRM, as it will no longer support to store personal details of consumers when it is no longer required. Data must be removed from all databases and platforms when requested, under the ‘right to be forgotten’.
Digital Marketers & GDPR
Digital Marketers need to be more transparent about why and how data has been collected from the consumers.
2. Notice & Consent:
Communicate with the consumers in the form of Privacy Notices specifying how the data is going to be processed. User’s consent must be obtained informing about their rights to withdraw or refuse their consent. Records should be maintained specifying who, when, how they have consented. Privacy notices must be reviewed periodically and update any required changes
You need to more specific about the purpose of collecting intended data from the customers. As it leads to a breach of GDPR if you collect information other then predefined information, such as collecting racial or medical details without user’s knowledge or consent.
4. Collection & Storage:
Digital Marketers will have to be careful about the collection and storage of the personal information after gaining consent from the user. They need to take appropriate security measures such as encryption, pseudonymization or anonymization while sharing data to the third party in order to protect it or segregating from other data in their systems.
Access and retrieval of personal data must be limited to authorized persons.
5. Rights of Data Subject:
Under GDPR, you must clearly and explicitly brought into the picture about their rights to object, informed, access, rectify, erasure, restrict or data portability to the Data Subjects (Consumers).
If any data breach is identified, it should be reported within 72 hours.
Business owners shall be aware of the huge penalties of 4% of their annual turnover or 20 million Euros of not being compliant with GDPR.
If the marketers are using emails for their marketing campaigns, they are allowed to do so for the purchased lists of an affirmative statement of consent from their contacts.
In order to comply with GDPR, they must also ensure a proper way for their contacts to unsubscribe. For Example: Unsubscribe to this Marketing Communication.
The new regulation will be helpful to improve the reputation of marketing that helps them adopt good practices in making consumers aware of how their data is handled.
It helps the consumers gaining more awareness on ownership and control over their data that enables them to access and review it at any time. Following are the changes needed after GDPR implementation.
- Clean up your Outdated or redundant databases and conduct an internal audit if required.
- Legitimate interest assessment should be carried out.
- Make use of multi-channel opt-in consent, if you are using electronic communications to communicate with individuals, contractors or partners.
- You need to create internal awareness amongst the stakeholders and staff of your organization about the upcoming changes and implication of GDPR.
- Be prepared to detect, manage and report on and investigate any personal data breaches.
Now that the data is stored with the company, it is their responsibility to ensure data safety and security. And also make sure that data collected are assessed for the types of data to meet the standards of the GDPR.
GDPR poses some real complexities for the Business owners and digital marketers to be compliant with its rules and regulations, although it gives them an opportunity to be more transparent and relevant for the consumer’s protection.
Ashka Shastri, an infosec consultant, responsible for handling ISO 27001:2013, SOC 2 and GDPR compliance at Acquire Inc. She has 2+ years of experience in Information Security Compliance & Audit. Ashka’s primary focus is on emerging technology issues and privacy concerns for the organization. With a Master Degree in Cyber Security and Certified ISO 27001 Lead Auditor, Ashka actively supports initiatives that aim to improve security for us all. She is an active writer and enjoys spending her time educating people on security and privacy.