As an agency that works with a number of cyber security clients, the General Data Protection Regulation (GDPR) has been on Bluetext’s radar for quite some time. The GDPR, which goes into effect May 25th, 2018 regulates how companies must protect the personal data of European Union citizens.
The impending deadline is not lost on U.S. multinational corporations that touch EU citizens/consumers in any way, but most of the angst has been confined to those responsible for corporate compliance, IT and security. But GDPR is highly relevant to marketers and advertisers, who must start preparing now to ensure compliance. And the stakes are enormous: fines for non-compliance could be as high as 4% of a company’s global revenues! I’m no math whiz, but any executive responsible for that kind of fine can start looking for a new job now.
Whether or not marketers will be yelling Mayday! on the May deadline day roughly eight months from now will in many ways come down to becoming fully educated on the intent of GDPR when it comes to customer data privacy, its requirements, and how to convert the compliance challenge into an opportunity.
Organizations, not just CMOs, have some ways to go towards GDPR compliance. Gartner estimated earlier this year that more than half of companies affected by the GDPR will not be in full compliance with its requirements on deadline day. In commenting on this prediction, Bart Willemsen, research director at Gartner, counters the notion that this is only an issue in the European Union.
“The GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well. Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.”
For marketers specifically, the confidence level in being prepared for the GDPR is similarly low…and dropping. As of May, only 54% of businesses expected to be compliant by the deadline, per a Direct Marketing Association (DMA) survey – down from 68% when the survey was conducted just three months prior. In fact, nearly a quarter of companies had not even started preparing for GDPR, even though the law was first announced in 2012.
The challenge for CMOs will be dictated by how much transparency they need to build into their marketing processes – particularly as it relates to how customer data is handled. The less transparent, the heavier the lift it will be to not only comply with GDPR, but demonstrate this compliance. Ultimately, a core tenet of GDPR – providing citizens with “ownership of their data” and right to erase their data – runs counter to the desire by brands to deliver a superior, customized experience by retaining and analyzing as much data as possible.
Clear guidance will help alleviate those concerns for marketers and others impacted by the legislation. GDPR directs companies to keep data as long as it is necessary. How marketers define what is necessary may be different than how it is defined by citizens and EU lawmakers
At the same time, some marketers are struggling to understand if efforts to be more transparent will come back to bite them. At a Direct Marketing Association (DMA) event this past May, chairman Mark Runacus pondered whether the Information Commissioner’s Office (ICO) would “penalize those who are trying to be open, honest and transparent.”
DIGIDAY has one of the better summaries of what marketers and advertisers need to start paying attention to now. A few takeaways from GDPR the author focuses on include:
- The definition of personal data has been broadened to include online identifiers such as IP addresses and cookies. This could cause problems for digital marketing, given cookies are not gathered with an individual’s consent.
- Under the GDPR, advertisers must get explicit and informed consent from EU residents. This means no more of the so-called “clickwrap” forms, those lengthy contracts that millions of people sign off on without reading each day. Instead, brands must find a way to get user consent, devoid of pre-checked boxes, or attempt to get implied consent.
- The GDPR won’t just affect organizations across Europe. Any business anywhere with personal data from EU residents must abide by the reforms.
- Marketers will need to take greater responsibility when processing personal data, and ensuring that the manner in which consent was acquired from customers in the database is GDPR compliant.