American companies that market their products in Europe need to prepare for sweeping changes in privacy regulations. New rules that govern data protection in the European Union take effect on April 14, 2018 and have wide-ranging implications for companies that store and use personal information.
The new EU General Data Protection Regulation (GDPR), under development for the past four years, is designed to harmonize data privacy laws in Europe. The new rules have been crafted to protect the privacy of EU citizens and to reshape the way organizations within in the region handle personal data.
The fundamental impact of GDPR is that it gives consumers more control over their own data. “The goal here is to protect EU residents, and to ensure that their data is used appropriately," says James McDermott, the CEO of Lytics, a Portland, Oregon company that specializes in developing customer data management platforms.
McDermott and Alex Langshur, co-CEO of Cardinal Path, a Chicago-based digital analytics firm, provided a detailed analysis of GDPR during a recent webinar presented by the American Marketing Association.
GDPR will alter the balance of power in terms of data control, predicts Langshur. “Now," he says, “data subjects are the true owners of their data, and they get to decide who they will share their data profiles with."
Privacy by Design
The EU is codifying the concept of “privacy by design," which is based on the belief that companies should collect and store only the minimum amount of information they need about an individual. Equally as important, the EU now expects privacy protection to be an integral part of any system handling personal information.
—Alex Langshur, co-CEO, Cardinal Path
“You must consider the privacy impact at all stages of development for the service or product should it involve the processing of personal data," says Langshur. “For example, if you sell clothing, you wouldn't want to put a field in the check-out process that would ask for the make and model of the car the person drives. That information is not relevant to the sale."
One of the most significant aspects of GDPR is its territorial scope. The new EU regulations apply to all companies processing personal information of EU residents—regardless of where the company is located. Non-EU businesses processing the data of EU citizens are expected to have a representative in the EU, and larger companies should have a designated “data controller," someone dedicated to database management.
Consent Is Mandatory
One of the most important considerations for American companies handling the data of EU residents is consent. The conditions for consent have been strengthened under GDPR, and companies will no longer be able to use illegible terms and conditions full of legalese.
Consent, adds McDermott, must be obtained using an intelligible, easily accessible form that is written in clear and plain language. GDPR also requires that EU residents be able to withdraw consent as easily as they provide it.
In practical terms, the EU now requires an “opt-in" standard for data collection and marketing. Companies maintaining personal information for any purpose must have an individual's permission.
“If you're trying to expand across the EU, you'll need to ensure that your digital initiatives include systems to obtain consent," says Langshur. “This will place significant burdens of compliance on your organization, so you'll need to be sure that you are fully aware of what these are, and factor these into your decision-making."
Right to Access and Portability
GDPR also requires that companies maintaining data on EU residents provide a way for people to access their records. The EU now requires that data subjects be given information about where and how personal data concerning them is being processed. Moreover, companies must provide a copy of any personal data upon request, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
In addition to right of access, the GDPR includes what is called the "right to be forgotten." In short, that means an individual has the right to have his or her personal data erased. That includes removing consent for dissemination of personal data and, in some cases, may extend to third-party data processors.
GDPR also allows for data portability, giving individuals the right to have their records moved from one company to another. “Data portability is a brand new and really interesting right," says Langshur. “A data subject can demand a company that they do business with provide them with a machine-readable copy of all the data they have provided to the company. That person can then go to any other company and give them their data history."
Stiff Penalties for Non-Compliance
While it is still unclear how the long arm of enforcement will extend beyond the EU, what is clear is that, within the EU, GDPR enforcement is set to begin on May 25, 2018.
Companies that are not in compliance face fines of up to 4 percent of annual sales or €20 million euros—whichever is greater. It also is important to note that these rules apply to both controllers and processors, which means that data stored in the cloud or outside of the EU is not exempt from GDPR enforcement.
“The threat of enforcement is 100 percent real," says Langshur. “We've been told to expect enforcement actions on the 26th of May. But I don't think the EU will be focused on SMEs at first, as there are much bigger targets to consider. Also, if you have limited EU exposure, then clearly your risk will be further mitigated."
Preparing for GDPR
Companies involved in everything from data storage and transactions to email and website marketing will be affected by GDPR. Three proactive steps companies can take include understanding potential liability related to digital assets, ensuring that those assets comply with the new regulations, and implementing measures to ensure that all data records are validated by personal consent.
“Until you have established proper consent models, you should consider reducing or stopping the collection of new data," says Langshur. “Fundamentally, if you are doing business in the EU or transact with EU residents, then GDPR will impact every aspect of your business."
Looking ahead, trust is going to be the new currency when it comes to the EU's new permission-based data management ecosystem. “Transparency is the key to maintaining this trust going forward," says Langshur. “Brands that get this right will be rewarded with both a long-term customer relationship, and with increasing amounts of precious first-party data."