GDPR is coming. It’s been two years since the General Data Protection Directive was adopted by the 28 member European Union. It paved the way for full implementation of the toughest set of privacy rules yet. On May 25, 2018 it will be replaced by the General Data Protection Regulation – GDPR. By comparison, a “directive” is a strong suggestion, while a “regulation” is the law.
The GDPR is a comprehensive set of rules and guidelines governing the collection and use of personal data. In particular it contains extremely severe penalties for non-compliance. More than ever, personal data is being treated like private property, empowering people with tools to protect it.
The thinking is, everyone on both sides of the equation will benefit from the GDPR. The public’s data will be accurate and secure. Individuals will have sweeping rights regarding its use. In return, the properly collected, housed, and utilized data will be more robust and more responsive for target marketers. Estimates are that the value of such data may reach over a trillion dollars by 2020.
GDPR Applies To Both Business & Consumer Data
The new regulation does not distinguish between B2B and B2C data gathering, housing, transfer, and use for marketing. Therefore, reputational risks, and exposure to extremely costly fines imperils brand value and the bottom line. (This is one reason that the new law requires the organizations to have a dedicated Data Protection Officer to monitor and verify data activities. More on that later).
GDPR Is Coming To Postal Direct Mail
On the surface, the impact of the new GDPR may seem focused on email and other electronic communications. However, given the breadth of data made available to potential marketers, postal direct mail is every bit as likely to be scrutinized for compliance. Therefore, rigorous data hygiene must be part of the process. The top two litmus tests for justifying use in marketing mail are consent, and legitimate interest.
Consent is the preferred hurdle, and must be clear and explicit. However, in some cases consent may be difficult to obtain. That’s where “legitimate interest” comes into play. Legitimate interest is defined as documented evidence establishing that the use is based on demonstrable need by or benefit to the recipient. The goal is to strike a fair balance between the interests of the marketer and the target. Particularly in the case of B2B, establishing a firm rationale for one-to-one outreach, and carrying out a legitimate interest assessment is advisable.
That said, a clean opt-in list is the safest path to full compliance with GDPR. As always, data should be current and accurate, from individual appends to complete records.
Direct mail marketers would do well to increase efforts to profile and target their chosen segments zealously. Special attention should be paid to past behavior including purchasing and response. Scrubbing for opt-outs, movers, and those exiting the market will save time and money in the long run.
Recent findings suggest that postal marketing mail is experiencing a resurgence. If all goes as intended, the increase in data quality as a result of GDPR compliance could usher in a new “golden age” of highly responsive direct mail.
The Main Points
- Consent – Must be opt-in, not opt-out. (Double opt-in recommended.) Opportunity must be concise and easily understandable.
- Scope of Enforcement – Global, including for example U.S. companies marketing to EU citizens residing within the U.S.
- Penalties – Fines for non-compliance as high as 4% of global annual revenue, or €20 million, whichever is greater.
Data Subject Rights
A series of steps must be taken to accommodate the rights of individuals. The intention is to promote trust in the gathering, storage and use of personally indentifiable information (PII).
- Breach Notification – Notify data protection authorities within 72 hours of detection, and communicate high-risk breaches to affected data subjects without undue delay.
- Right To Access – Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way.
- Right To Be Forgotten – When an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted.
- Data Portability – This will make it easier for individuals to transmit personal data between service providers.
- Built In Protections – Privacy safeguards will be designed into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
- Data Protection Officers – The GDPR introduces the mandate to appoint a data protection officer (DPO) for organizations that are a public authority, or carry out certain types of processing activities. The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level. A DPO can be an existing employee or externally appointed
How GDPR Compares To Privacy Law Around The World
The GDPR represents the latest effort in a movement that has been going on for decades. The growth of data collection and use, plus the value of PII to marketers has necessitated erecting guardrails defining collection, storage, and use of personal data wordwide.
Businesses may feel that if they are compliant with CAN-SPAM (U.S.) and CASL (Canada), they are likely to be sufficiently compliant with GDPR to avoid significant action. That is not so.
CAN-SPAM only requires “opt-out”, meaning that the recipient is opted in unless action is taken. CASL remedies that weakness requiring only opt-in consent. GDPR sharpens the definition of consent requiring explicit opt-in “freely given, specific, informed and unambiguous.” It then extends the same standards of consent to processing of the data for further use.
Penalties for non-compliance have been escalated, from CAN-SPAM’s $41,484 for each separate email in violation (inflation adjusted), to up to 20 million Euros or 4% of annual global revenue.
CAN-SPAM covers only email messages, while CASL includes commercial electronic messages (CEM), including email, SMS, audio and video, sent within Canada or routed through Canadian servers. It also prohibits the use of spyware and malware. GDPR expands on CASL to mandate that protections must be “built into products and services from the earliest stages of development”.
Going forward, a business will need to acquire consent each time a person is to be contacted. It must identify itself and describe how their data may be used, and by whom, in plain language.
Individuals will have full control of their data. It can be corrected, reviewed, erased, or transferred. Plus, all of these actions must be documented and verified to the individual’s (and potentially to an authority’s) satisfaction.
What About The Asia/Pacific Region?
Comparing GDPR to guidelines and statutes in the Asia Pacific region are harder, since there is no centralized authority governing personal data privacy and protection there.
Australia and Japan have updated their privacy laws to include some of the provisions of the GDPR.
China has not created a formal data privacy statute but has taken steps to apply more rigor regarding cyber security. Other nations throughout the region such as the Philippines are toughening data privacy enforcement in the wake of specific threats. Overall, while many of the core principles of the GDPR are reflected in either statute or intention, the Asia Pacific region has not yet coalesced into unified alliance regarding the issues the GDPR now addresses.
GDPR has set the compliance bar higher for businesses wishing to market to citizens of the EU, wherever they may be, regardless of the nation of origin of the marketer. Given that the core values of consent, control and compliance are now codified in a single set of rules that are more comprehensive than any other, it therefore makes sense for direct marketers all around the world to become compliant with the GDPR.
Yes GDPR Is Coming – But Is It Enforceable?
The statute is comprehensive and the rules appear clear. That said, it will be up to the individual members of the EU to actively enforce the letter of the GDPR. Some countries that have a history of strict data privacy controls will be more likely to enforce GDPR. Others who see enforcement as an impediment to business growth may be more relaxed.
Then there is the necessity to enlist sufficient human resources to investigate, adjudicate and enforce instances of non-compliance. Implementation is unlikely to be a black/white transition from the old to the new. Rather it will be a process of education, adaptation and interpretation. Much of that leeway will be enjoyed at the enforcing authority’s discretion, leaving marketers to err on the side of compliance or risk disruptions and fines. Next stop, May 25, 2018. The GDPR is coming.
There has been a torrent of information published since the updates to the current directive were adopted in 2016. Below are sources of information regarding the GDPR: