Seven Things Marketers Need to Know About the New Data Protection Rules

Sharpen your pencils, marketers! It’s almost time to plan next year’s budget, and it’s your last chance to grab the resources you’ll need to get ready for the GDPR. That’s the new EU General Data Protection Regulation. For marketers, it will mean rethinking core marketing processes and then wrenching disruptions as you shift from data-hungry habits. But at the same time, firms that get it right – quickly – will reap huge benefits and competitive advantages that extend beyond the European market.

Despite the revolutionary impact the GDPR will have on marketing and marketers, The Content Advisory continues to encounter indifference and apathy about the Regulation. So let’s be clear: Ignoring the GDPR today could be fatal – for your marketing programs, your career, and your company. The last thing you want to do is go cold-turkey in the middle of 2018, closing down your data-driven marketing and customer experience efforts without a replacement plan or a transition. You must start planning NOW. (Well, yesterday, but ignore the spilled milk and get on with it.)

For a rapid introduction, here are seven things you must know about the GDPR.

  1. It applies to every companythat does business in Europe — regardless of where they are located

Unlike the current EU data protection policies, the GDPR is extraterritorial, meaning simply that it not restricted only to companies based in the EU. For example, take a eCommerce site that is incorporated in California and has no physical presence in Europe. If that site “offers goods or services” to EU residents – for example, by accepting orders from EU-based credit cards, or shipping products to the EU – then it must comply with the GDPR.

The Regulation applies to non-EU firms even if they do not charge for the services – think free email – and to firms that “monitor the behavior” of EU residents, such as third party tracking services.

  1. It will likely impact marketers more than other roles. 

Are your targeting and personalization strategies finally getting up to speed? You’ve made the investments and built up the skills in grabbing and crunching data to deliver the content and offers people want when they want it? Congratulations!

Except . . . the GDPR places broad restrictions on how (and how much) personal data you can collect, as well as on “profiling” and “automated decision making” – i.e. perhaps the AI at the center of your new personalization platform. (For more information about data minimization and data protection by design, see our previous article.)

  1. It requires fundamental changes in how you collect, use, store, and share personal data. 

One question we frequently hear is, How will the data protection authorities (DPAs) know if our company is follow all of the rules in every aspect of our data processing? The short answer is: Because you are required to prove it to them!

The GDPR introduces a new principle called “accountability,” which means that it is up to the company (the “data controller”) to ensure that their behavior reflects the six core data protection principles and that they are able to demonstrate adherence with the principles. In effect, you are guilty until you can prove your innocence.

  1. It will not be “taken care of” by your Legal and Compliance staff. It demands new behaviors and processes from marketers. 

The GDPR is a new regulation. Who handles regulations? Legal and Compliance, of course! But that’s not adequate this time. Requirements like accountability and data protection by design mean that behaviors have to change. This is why the UK’s chief DPA, Elizabeth Denham, constantly stresses that responding to the GDPR is not a “box-ticking” exercise but requires “a change to the culture of an organization.”

  1. The GDPR carries massive fines— up to €20 million or 4% of your company’s global gross revenue, for a single violation. 

Say you’re a marketer at JetBlue. What happens to your marketing strategy, and your career, and your company, when a DPA determines your team violated the GDPR and levies a fine of $256,000,000? (That’s 4% of 2016 gross revenue.)

  1. A proper response begins with awareness and education. Get help now

Once you look, there is a wealth of information and advice about the GDPR. Most response roadmaps begin – wisely enough – with a data inventory and audit: What personal data do you have, where did you get it, what do you use it for, and does it meet the conditions to continue using it.

For marketers in particular, however, a crucial preliminary step is a knowledge audit: Who knows about the GDPR and who needs to know? How do we acquire the requisite education and awareness of the core provisions and principles, and how they will transform how we do marketing?

Vivienne Artz of Citi has noted “For many organizations, it may require revisiting the core business model and making sure privacy considerations are considered afresh: yes, we would like to do this or that with data but can we do it, and even more importantly, should we do it? In many cases these are issues that have not been thought about in depth before, but now we have to consciously engage with all of the issues.”

  1. Doing nothing — or putting it off until later — is already a violationof the GDPR. You must be able to demonstrate a good faith effort to comply. 

This isn’t legal advice but just common sense. Because the GDPR requires companies to be accountable for compliance, taking a wait-and-see, well-get-to-it-later attitude demonstrates an absence of accountability! To be very clear once again: There will be no grace period after May 25, 2018.

You don’t necessarily need to be fully compliant by then. (If you haven’t started yet, you probably can’t be.)  But you do have to be able to demonstrate and document a good faith effort.

Bottom line: Take a look at your current marketing activities. Do you collect and use personal data (including device ID, browser settings, etc.) of EU residents? If so, your marketing organization is obligated to conduct a thorough review and probable redesign of your processes and engagement strategies.

So how much should a marketing manager budget for GDPR compliance? One of my consultant colleagues says – 4% of global revenue! It’s a use it (for compliance) or lose it (in fines) argument. I’d say the less radical (and more feasible) approach is to understand how much change is necessary in your organization. And that points back to the initial steps involving education and awareness.