03 Apr GDPR for Marketing and Sales Professionals
Personal data protection and how companies use customer data is a major concern for many marketing and sales professionals in Europe. The European Union is moving forward on this issue its citizens consider important, and that is what the General Data Protection Regulation (GDPR) is all about. As of May 25, 2018, the GDPR will govern consumer data collection, storage and usage practices within the EU.
If you haven’t fully prepared for these changes, or are struggling to understand what you need to do to make sure that your company and your department are in compliance, we’ll walk you through a few basics.
Important notice: While this article provides a general overview of the regulations, nothing in this article should be construed as legal advice. Only your company’s own Compliance Officer and/or Legal Department is in a position to determine the impact this law will have on your company and your company’s officers.
GDPR is short for the European Union’s new General Data Protection Regulation. It is the first update to data protection law in the EU since 1995. The GDPR replaces Data Protection Directive 95/46/EC and harmonizes data protection laws across the EU. This harmonization is one of the big advantages of the regulation. Your company might have had to deal with a patchwork of regulations before, but after May 25 of this year, there is just one set of laws to comply with across the European Union.
In terms of timing, we are closing in on the end of the two-year run-up to full implementation. The GDPR was passed on April 16, 2017 – regulators have been working on the draft versions of the regulations since 2010, but nonetheless, corporate polls show that even many Compliance Officers and other top executives are still not fully familiar with the requirements. Even now, well into 2018, many sales and marketing departments are still playing catchup on this issue.
Does my company need to comply?
If you are reading this, the quick answer is yes, almost undoubtedly. Article 3 of the GDPR lists two primary groups of entities that have to comply:
- Firms located in the EU
- Firms not located in the EU, if they offer free or paid goods or services to EU residents or monitor the behavior of EU residents
That is pretty comprehensive. If, for example, your company has a website that is visited by citizens or residents of the European Union, you will likely be required to comply on that basis alone if you collect personally identifiable information on visitors to your website.
Any organization that processes data of any individual in the context of selling goods or services within the EU borders is required to comply with this new regulation or face steep fines. Your company might be based in Chile or China or Canada, but if you have even a single customer who is a resident of the European Union, you will have to comply with this comprehensive new set of regulations.
What is personally identifiable information?
Personally identifiable information (PII) is any information that can be used to identify a natural person (referred to as a “Data Subject” in the GDPR). This can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, a computer IP address, a social security number or a physical address. So again, this is very broad, and applies to almost any information gathered about individuals.
For sales/marketing, customer data is our lifeblood as well as a source of revenue in many cases. What is going to happen with this data?
Let’s break this one down to a few key points:
You are going to have to:
- Locate and identify the data of Data Subjects. Most companies have multiple copies of different customer data located in various spreadsheets, databases, etc., which may be located on multiple servers and hard drives. This all has to be located.
- Cull the data. Make sure that you keep only the data you need for your operations.
- Have policies in place to safeguard the data. Customer data is valuable, and it is at risk if it is lost or stolen. And the GDPR provides for fines of up to EUR 20 million or 4% of global sales for careless data handling.
- Report data breaches immediately. Companies have 72 hours to report data theft and hacks to the authorities.
- Obtain consent from your customers. You are required to explain why you need to retain data, and why you’re collecting it in the first place. Again, the right policies and procedures have to be in place (and communicated) to make sure customers know what your company is doing with their data.
The last point is significant for how the law will impact you, both downside and upside (yes, there is an upside).
First, Data Subjects now have much more control over their data. And it really is “their” data – they can request that you stop collecting it, justify it, modify it, delete it, and make it available to them in a usable, machine-readable format so that it is portable and can be provided to other companies.
The downside is obvious: you have less control over what data you collect and retain, and your databases will have to be downsized. Large majorities of people in many European countries (and elsewhere) have expressed that they would prefer that their data not be collected for any reason, even if it benefits them.
In addition, this new law has teeth – the directive it is replacing did not have such stringent enforcement mechanisms. This increases the downside legal risk of even accidental data breaches that are not dealt with immediately and fully. And compliance in general will cost money and time.
What’s the upside, then? Several points:
- More transparency. Your customer communication game will be improved, and customers will understand better what your aims are.
- Increased trust. This improved transparency means improved customer confidence. The GDPR will be automatically weeding out bad-faith actors.
- Harmonized legislation. This law applies across Europe and replaces (for the most part) national laws. With 28 countries in the EU (or 27 if and when Brexit is completed), companies have had to deal with a wide variety of legislation. That is no longer the case.
- Better-focused customer databases. The ease of opting out and the requirement to gain informed, freely given consent for the collection of data means that customers who allow you to collect data are actually interested in your product, your company and your sector.
New laws mean new policies, and policies have to be communicated in all the countries in which you do business.
Some key documents that will need translation include (but are not limited to):
(i) Privacy Notice
(iii) Breach Response Policies;
(iv) Employee Privacy Notices;
(v) Template Data Processing Agreements;
(vi) Statutory Data Transfer Agreements – which may need to be translated from English or French for reference purposes.
Donnelley Language Solutions can help you with all of your compliance and translation requirements.
Donnelley Financial Solutions Chief Security Officer, Danny Combs, and Global Data Privacy Director, Joe Prempeh, provide an overview of the GDPR regulation and explain how its policies should be implemented in your company.
This blog post is for information purposes only. Donnelley Financial Solutions does not provide legal advice and does not hold itself out to be a legal adviser. You must obtain your own independent legal advice or rely on your judgment when complying with your regulatory obligations.