GDPR – What You Need to Know for May 25

The European Union (EU) General Data Protection Regulation, or “GDPR,” as the cool kids are calling it, is a data protection law that goes into effect on May 25, 2018.

The law affects data collection and storage of persons who reside within the European Economic Area (EU plus Norway, Lichtenstein and Iceland).

BUT – the law has “extra-territorial” effect, which means it applies even to companies that are located outside of the EU. Yes, your business in North America, South America, Asia, Australia or Antarctica could fall under GDPR liability.

Should you panic?

In short, no.

But you do need to pay attention. And you’ll likely need to make some changes if you want to be compliant. And once you’ve read through this article, head over to Facebook and RSVP to The Social Media Hat and Stephanie Liu’s free Facebook Live Q&A on Thursday – all about GDPR (recorded video below).

The European Economic Area, Source

What is GDPR?

GDPR was passed in 2016, and while the topic has been at the forefront of European marketers’ minds for several months, the conversation in the US is just starting to pick up. With the May 25 effective date fast approaching, what was a light buzz is now turning into a panicked scream.

Do you need to worry that the big, bad EU police are going to bang down your door because your email opt-in form was wrong? 

Likely no.

High-profile, multinational companies, on the other hand are on high alert (you may have noticed an influx of updated privacy policies. If you have any multi-national companies as customers, you may have received questionnaires and data processing agreements for you to sign.  GDPR is why).

However, even if you’re small enough to avoid GDPR detection, you do still want to pay attention. If nothing else, GDPR is likely to cause a significant mindset shift for European consumers.  European residents have a new expectation for how their data will be managed and what their rights are. If you want to maintain the trust of these clients, read on.

A quick history for context

“The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years…” (“EU GDPR Information Portal”, EUGDPR.org)

Up until now, personal data processing in the EU has been covered by two main pieces of legislation:

• • the EU Data Protection Directive, officially Directive 95/46/EC, which was passed in 1995, and

• • the “Cookie Directive” or E-Privacy Directive, officially Directive 2002/58/EC, passed in 2002.

The Data Protection Directive and the Cookie Directive follow the same construct: EU directives are merely guidelines for the member countries, not obligations.

“A ‘directive’ is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals” (“Regulations, Directives and other acts”, Europa.eu). Because each country made its own laws to achieve the goals of the directives, companies doing business in the EU have been subject to a mish mash of laws that could change from country to country.

GDPR, as a regulation, is “a binding legislative act. It must be applied in its entirety across the EU” (“Regulations, Directives and other acts”, Europa.eu).

As much as GDPR may feel like an ominous imposition from on high, it’s an improvement on the current situation for companies doing business in the EU. GDPR creates a consistent policy and one governing authority for all of the EEA. Dennis Yu, data expert and owner of BlitzMetrics, put it simply, “It’s actually easier to do business now.” 

Note: GDPR does not replace the Cookie Directive, though there will be a regulation to replace it at some point in the future. Here’s everything you need to know about the Cookie Directive.

An example of informed consent according to the EU Cookie Directive. If you’ve ever been to Europe and wondered why you had to accept cookies on every site you visit, it’s because of the Cookie Directive. Source

Who does GDPR cover?

GDPR covers “natural persons,” regardless of citizenship, who are within the jurisdiction of the EEA when their data is collected (Article 1). This coverage includes European citizens, European residents, as well as American tourists on vacation in Italy. If the person is within the EEA at the time their personal data is collected, their data is protected under GDPR.

Children – the law has some very important provisions regarding children. Most notably, it raises the age of consent to 16, although Member States are authorized to provide for a lower limit, the minimum age for consent being 13. It is only lawful to collect data on children under 16 years old if their parent or guardian gives consent.

Whatsapp caused a stir when it raised its minimum age to 16 ahead of the May 25 deadline for GDPR.

The law covers the behavior of two categories of entities: data controllers and data processors.

Data Controller – the data controller determines “the purposes and means of the processing of personal data” (Article 4). The data controller can be a natural or legal person, public authority, agency or other body. In most cases, if your website collects the personal data, i.e. name and email address to sign up for your mailing list, of individuals based in the EU, you will qualify as the data controller, since you are the one deciding how and why data will be collected.

Data Processor – the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Processing includes: collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying data.

Let’s say you use MailChimp to collect email addresses. When you create your account, they collect your personal data because you are their customer. In collecting your personal data, they are a controller. However, when MailChimp collects the personal data of your customers on your behalf, they are a processor, and you are the controller because you decide why and how the data will be collected. Depending on what you then do with your customers’ data, you may also become a processor.

The processor/controller relationship can get complicated. Companies like AgoraPulse offer their customers Data Processing Agreements to clarify in writing who is what when.

Facebook released a detailed statement on when precisely they are controller or processor, and when the responsibility falls to you.

Facebook outlines who’s responsible for what when. Source

Where does it cover?

The scope of the law is “extra-territorial.” It goes beyond EU borders, so even if your business has no presence in the EU, if you are collecting personal data from people in the EEA jurisdiction and to the extent that such processing of data relates to the offering of goods or services to these people (even if no payment is involved) or to the monitoring of their behavior, the law applies to your business.

For additional commentary from a legal perspective, listen to Mitch Jackson and Joey Vitale from LegalHour.live.

What does it cover?

The first point of GDPR establishes that data protection for people is a “fundamental right” (Preamble, Section 1). As such, GDPR substantially expands individuals’ rights to data privacy and protection. 

The whole law is 261 pages long, so here are a few key points to help you understand what you’re dealing with:

1. Consent

Consent is an essential component to GDPR and is one of 6 legal bases for lawfully collecting and processing personal data under GDPR. Under GDPR, if you rely on consent as a legal basis for collecting and processing the personal data of individuals, the consent to collect and process the data must be clearly and expressly given. No ifs, ands, or buts about it. Pre-checked boxes are a no-no. Silence or inaction does not meet the bar. Individuals have to say, “yes, you have the right to collect and process my data.” 

The consent must also be informed, so you have to conspicuously disclose the purpose for the collection and make sure the consent is expressly given for the purpose for which you collect the data.

Andrew & Pete did a funny, yet informative video on this one if you’re ready for a good laugh at this point.

MailChimp recently rolled out a GDPR-compliant opt-in form.

2. Privacy by Design and Privacy by Default

Article 25 lays out the new obligations for privacy by design and privacy by default. Privacy has to be built into the structure of your organization, your processes and procedures. 

Your business is now responsible for implementing “appropriate and organisational (sic) measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing…” 

Your company will need procedures, staff training and contracts to make sure that your clients and employees’ data is protected.

“Make sure that privacy is ingrained in the culture of the company,” says Stephan Grynwajc, managing partner of Law Office of S Grynwajc, a NY-based law firm specializing in advising U.S.-based clients on doing business in the EU, and particularly in navigating the EU privacy regulatory landscape.

3. Access to your data

GDPR lays out clearly that data subjects have the right to their data free of charge (Preamble, Section 59). If someone asks for their data, you should have in place the means for them to make this request electronically.

You also need to respond to their request “without undo delay and at the latest within one month” (Preamble, Section 59). If you cannot comply with the request, you have to provide the reasons why.

4. Data Portability

People now have the right to ask for their personal data that you have on file. You are obliged to give them that information in a “structured, commonly used and machine-readable format,” and they “have the right to transmit those data to another controller without hindrance” (Article 20, Section 1).

In other words, you have to give them their data in a portable manner that can be transferred to someone else.

5. Right to be Forgotten

Unsubscribe is no longer enough. People now have the “Right to Erasure” (Article 17). When someone asks you to do so, you have to delete their personal information from your database, as well as from the databases of any third-party processors who have their data on your behalf.

There are some exceptions to this, for example when you are legally required to store data for a certain period of time. This will be true for non-profit donor information, accountants, lawyers, etc.

71% of HubSpot Research survey respondents agreed that companies should not store personal data at all. Full erasure of customer data will require strong processes in your business. Source

6. Breach notification

In the event of a data breach, data controllers are now obligated to report the breach to the local data authority within 72 hours.

Data processors must notify data controllers “without undo delay after becoming aware of a personal data breach” (Article 33, Section 2). 

Data controllers are also required to notify the data subjects, i.e. your customers whose data was compromised, of the breach (Article 34). Articles 33 and 34 also lay out specifically what information has to be included in the notification. 

The data breach notification requirements will be a big one for small businesses to follow. Again, even if the EU doesn’t bang down your door, you will lose the trust of your customers if you don’t follow a law they know they are protected by. If you are an agency, you need to help your clients follow a law that applies to them in connection with data you process on their behalf.

7. Data Protection Officers

The creation of Data Protection Officers, or DPOs, is one of the main points where GDPR smooths things out for companies doing business in the EU. “Currently, controllers are required to notify their data processing activities with local DPA’s [Data Protection Authorities], which, for multi-nationals, can be a bureaucratic nightmare with most Member States having different notification requirements” (Key Changes).

InfusionSoft’s DPO. Source

Businesses no longer have, in most countries (the UK is one exception), an obligation to register with a local authority, but they are now obligated to keep internal records that document their compliance. Most businesses are not required to have a DPO.

The three situations where a data processor or controller needs to have a DPO are:

1. 1. the data is processed by a public authority or body, except for courts acting in their judicial capacity;

1. 1. the core activities of the controller or the processor “require regular and systematic monitoring of data subjects on a large scale”; or

1. 1. the data is sensitive in nature. These “special categories of personal data” are described in Article 9: personal data revealing racial or ethnic origin, political opinions, religious or philosophical believes, trade-union membership, genetic data, biometric data, health data and data about a person’s sex life or sexual orientation. Data relating to criminal convictions and offenses (Article 10) is also included.

8. EU Representative

Technically any business not based in the EU, regardless of size, which is processing data of persons in the EU needs to have a representative in the EU. The obligation for a representative is laid out in Article 27 of the GDPR. The representative must be present within the EU, and the representative’s job is to act as the point-person for the local authority.

In addition to a DPO, Arizona-based InfusionSoft has also appointed two EU representatives. The jobs of a representative and a DPO are different. Source

Juliette Ancelle, a partner of id est avocats, a Swiss law firm specializing in technology, media and advertising, points out, “When the company is not based in the EU, but you’re subject to the GDPR due to your processing activities of data of individuals located in the EU, there is an obligation to appoint a representative, subject to very limited exceptions.”

Ancelle notes that it is not clear at this point in which country exactly businesses who have no presence within the EU should appoint their representative if their processing activities is not limited to one Member State. She adds that representatives may further be subject to additional local laws since Member States still have the right to pass their own legislation on top of GDPR.

Having a representative does not relieve a data processor or the controller of legal responsibility.

While small companies may be able to fly under the radar on this one, mid-sized companies may want to take note. If you don’t and you grow, it could come back to bite you later.

REMEMBER: Stephanie Liu of Lights, Camera, Live is hosting a free Facebook Live Q&A covering all of these topics, 5/24 @ 5pm ET.

Who is enforcing this?

The key difference between a directive and a regulation is a regulation is legally binding. 

In order to enforce the law and give it real teeth, the EU has added substantial penalties. Fines for non-compliance can go as high as 20,000,000 EUR or “up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher” (Article 83, Section 6).

This being said, enforcement of the law is going to be selective. GDPR establishes the European Data Protection Board (Section 3) to oversee the implementation of the law. Each Member State is responsible for providing one or more public authorities responsible for enforcement, and each supervisory authority will act independently (Articles 51 and 52). These local authorities will levy any fines.

The EU’s new authority on data protection has a Twitter account and can’t wait for GDPR’s May 25 drop date. Source

Additionally, each Member State can pass additional legislation around data protection.

All of the experts I spoke with noted that at this point, no one knows how this law is going to be enforced. Only 5 of the 28 Member states of the EU have, as of the date of this article, updated their national legislation in order to implement the GDPR, The EU and its Member States’ supervisory authorities also have limited resources and manpower to investigate GDPR compliance issues. The experts agree that early enforcement will most likely target the big fries.

Grynwajc says, “Ultimately it’s going to have to be a risk analysis. Companies will have to decide if this is something they’ll prioritize when and as the business grows.” 

Ancelle says, “It will be difficult to reach those companies if they don’t appoint a representative in the EU. Exercising a fine is not an easy process. 

“For companies that have no presence in the EU, there’s not an immediate risk. The reputation damage will be much stronger than the legal risk. EU citizens now have a very high expectation of privacy. With the Cambridge Analytica scandal, there is a very strong feeling in Europe that our privacy should be protected.”

Ancelle points out, as well, that for businesses who think they can avoid compliance now, “if they want to implement in the EU later, and the authorities know you have not been compliant, they’ll probably make it harder for you.”

Consumers still want protection. Source

How do you implement GDPR in your own business?

Here are some guidelines for implementing GDPR in your own business:

Email Marketing:

• • Have clear, explicit language a child could understand on your opt-in pages. Don’t hide consent in legalese. Dennis Yu recommends incorporating this language throughout your landing page, rather than trying to hide it.

• • Use GDPR compliant opt-ins. MailChimp has added GDPR boxes. LeadPages now has a GDPR consent check box.

• • Document your opt-ins. Screenshots could be your lifesaver if you ever do have to prove compliance.

• • Clean up your list. GDPR has an obligation for “minimization.” You can only ask for the minimum amount of data you need to provide your good or service, and you should only keep the data as long as necessary. Cleaning up your list is a good habit regardless. Dead leads give you inaccurate open rates. Go for an engaged list rather than a large list.

Privacy Policy:

If you don’t have a privacy policy, now is the time to get one. Again, this is regardless of GDPR. 

Ancelle recommends that your privacy policy contain at a minimum:

• • Specifics as to the type of data you’re collecting

• • What you’re going to do with the data

• • Where you’re going to store the data

• • Who will have access to it

• • Which security measures you have in place

• • Who to contact if someone wants access to their data or to correct their data

Ancelle adds, “What will be extremely important now is not necessarily the content, or at least the topics, but how you present them, how clearly you present them, and how the privacy policy is implemented internally in your company. If you have a policy, but then you don’t follow it, or you want it to be too broad, you probably won’t have a valid basis for consent and then not a valid basis for processing if you are processing on the basis of consent. Before drafting the policy, identify what you have, what you want and what you’re going to do with the data.”

Grynwajc recommends starting with the Article 29 Working Party Transparency Guidelines as a guideline for drafting your own privacy policy. Then, you have to ask yourself, “How do you display your privacy policy? How do you make it big enough so people can see it?”

The Article 29 Working Party Guidelines on Transparency are a good starting point for your own privacy policy. Source

Transparency is a key principle of GDPR. That includes how you display your privacy policy.

It is important to note that Grynwajc cautions against using non-EU counsel for interpreting EU legislation. EU law is written in a different interpretive culture than American law. “It’s more than just reading a piece of paper.”

Pixels, Cookies and Tags:

Cookies are covered under the Cookie Directive of 2002, which is still in place, however, some data tracked by Facebook pixel and Google Analytics is personal in nature and therefore covered by GDPR. Both Facebook and Google have been making changes. At F8, Facebook announced a Clear History feature to allow users more control over how their data is tracked.

To be compliant, make sure you add a cookie and privacy policy consent to your website that covers tracking.

“I’m fine with this.” Your consent language should be clear, not legalese. Colors, a prominent popup and large font make the elements of this cookie consent box very apparent. Source

Protecting Data in Your Business:

You have to develop procedures, and you need to train your team. There’s very little wiggle room here. It’s what the Privacy Awareness Academy refers to as a “Human Firewall.”

Forget compliance with GDPR for a second. This is to protect your business. The cost of a data breach could put your business under. According to IBM, the average global cost of a data breach involving 24,000 records is $3.62 million (2017 Ponemon Cost of Data Breach Study).

Jennifer L’Estrange, managing partner of Red Clover, a strategic human resources firm specializing in technology, points out that under GDPR, “Whether it’s through our marketing or how we handle our employee data or our customer data, we have a duty of care to make sure it’s protected… It’s a mindset change for an organization as far as awareness and their practice for how they handle data.”

When it comes to developing your data processes, L’Estrange advises that businesses put in place now the processes they’ll need for later. “If today you’re a five man shop and you’re managing customer data for clients or for yourself, set it up in a way that, when you’ve got hundreds of thousands of data records in your database, you still have the same robust process that you had when you had 1000 records.

L’Estrange and Yu both recommend leaning on the software you’ve chosen to store your data. L’Estrange points out that choosing more robust software with data protection and the capability to erase data when needed can give you peace of mind for the future.

Yu advises having checklists for onboarding and offboarding both customers and employees. When someone joins your agency or company, you have to grant them access to accounts and profiles with data.  When they leave, the checklist allows you to remove that same access. 

“The real takeaway is process. When businesses don’t have clear processes, that’s when breaches happen,” he says.

He also recommends only granting the necessary level of access. Business Manager has five levels of access. What level of access do people actually need?

Grynwajc recommends having language in employee and contractor agreements that hold people accountable for the management of data. He says a confidentiality clause is not sufficient.

Ancelle recommends having a deletion policy. “Don’t keep data that you don’t need. It puts you more at risk to continue storing data that you don’t need and you don’t use.”

L’Estrange stresses that, especially for larger companies, GDPR compliance should not to be pushed onto the IT department. “I think the responsibility for understanding and implementing this kind of change requires shared ownership between IT, Legal, and HR or Marketing (depending on the data), not just IT alone.”

What will be the impact on Social Media Advertising?

As with the enforcement of GDPR, it is difficult to know at this point what the impact will be on social media, particularly paid social media. Ancelle predicts “a lot of big social media companies will likely adapt their policies by having a regime for European citizens and a regime for others based outside the EU.” 

Yu notes that we are already seeing changes with Facebook custom audiences. Facebook has taken away potential reach and is using more rounding in it is audience sizes.  Going forward, he predicts that we are going to see less granularity, with estimates becoming broader and broader. 

Facebook limits the information it gives marketers about Custom Audiences size.

He adds, however, that he thinks a lot of these changes would have come anyway. Facebook is “internalizing the complexity, letting their system do the work,” which he says is best for marketers anyway. Facebook is best at its own game.

Ancelle anticipates that the real impact of GDPR and the consequent changes will be felt in the coming years. She too predicts we’ll see an impact on accuracy, as well as price, for social media advertising.

So where does that leave us?

Take a deep breath. Don’t panic. As Dennis Yu says, “GDPR doesn’t have the details yet.” He predicts that there will be a few “poster children over the next year.” For the rest of us, we’ll be able to watch how this plays out.

Use GDPR compliance as an opportunity to bring your business practices up to date with the technology. The gauntlet is not coming down on May 25th, so take your time, but do the work. 

Be like Dennis Yu and make a checklist of what you need to do. 

Take Jen L’Estrange’s advice and think about how you want your business to function in five years. What do you need to put in place now to support where you’re going to be? 

If you are a larger company, it may be worth bringing in a specialist in procedures and organizational processes. 

If you are small, run your privacy policy past a lawyer. 

We all saw how Cambridge Analytica was a breach of users’ trust. Whether or not what happened was legal or in compliance with Facebook’s Terms of Service, what rose to the surface was Cambridge Analytica did not have clear, unambiguous consent from the survey participants to use their data in the way it did. The consequence for Facebook is real. People trust Facebook less, and by extension they trust us, the marketers, less.

Again, unless you’re a multi-national firm with a high profile, GDPR is probably not going to affect you too much directly. Use this time to ensure you protect your highest priorities: your business and the trust of your clients.

Got more questions?

Watch this free Q&A w/ Mike Allton and Stephanie Liu below!