10 things you should know about GDPR
Not fully aware of the implications of GDPR? You’re not alone.
Share this post
It took more than four years of work for the European Union to agree on a complete overhaul of the EU data protection rules dating back to 1995, when the internet was still in its infancy, eBay was launching and the DVD was just being introduced. With six months to go until the General Data Protection Regulation (GDPR) takes effect on 25 May 2018, many expect that this new piece of regulation coming out of Brussels will create the biggest disruption in consumer privacy law in over two decades.
But what does it mean for your marketing team and why should this keep you up at night if you’re not GDPR ready yet?
1. GDPR is not something only your legal team needs to handle
From a brand owner’s perspective, GDPR will require a greater focus on how brands communicate with consumers about their privacy and could limit the way some consumer data can be used to develop personalised marketing. Of course, legal teams will be responsible for ensuring that their companies’ practices are compliant with the new rules, but marketers will need to be aware of what changes are coming and how it will impact their day-to-day work.
2. It will impact businesses irrespective of where they’re based
‘It’s a European law and we’re based outside the EU, surely that means we won’t be impacted’. This couldn’t be more wrong. GDPR applies to any company which offers goods or services to consumers in the EU or monitors the behaviour of people in Europe. This means that it will affect almost all large multinational companies, even if they’re headquartered outside the EU.
3. Non-compliance is a no-go
Think non-compliance, think fines up to 4% of a company’s annual turnover – for Global 500 companies, that could mean fines ranging from $800 million to as high as $19.2 billion. GDPR also opens up the possibility of consumers and not-for-profit organisations launching legal proceedings for compensation in the event of GDPR violations. But, even worse, non-compliance can bring reputation damages and the loss of consumer trust, which are even harder to overcome.
4. GDPR = the end of the single tick box
GDPR sets out new and extensive conditions for consent to be valid: it needs to be freely given, specific, informed and unambiguous. Under the new rules, consent will be required for each purpose for which a company wants to process personal data, which means that consumers may need to be asked for their consent more often. As a consequence, in many cases, it may no longer be enough to rely on a general permission given by ticking a box when signing up to a service.
5. When consent isn’t an option
GDPR allows personal data to be processed, where necessary, for the ‘legitimate interests’ of the company without needing to get consent. This may be particularly relevant in cases where getting consent would not be a viable option e.g. because the company doesn’t have a direct link to the consumer to ask for consent. Find out more about consent here.
6. Re-using data for other purposes
In many cases, personal data is collected with a specific purpose in mind e.g. signing up to receive a newsletter. However, marketers might be interested in using this data to develop insights for other marketing campaigns. GDPR only allows this under specific circumstances. Lean more about what this assessment needs to take into account.
7. Parental consent when processing children’s data
GDPR sets the age of a child at ‘below 16 years old’, although national regulators in EU countries can opt to lower this age to anywhere between 13 and 16 years old. This means that companies will need to put in place mechanisms to ask for and verify parental consent.
8. It applies to data collected by third parties
Brand owners will need to be able to demonstrate that consent was provided in a way that meets the GDPR conditions even if the data was collected by third parties. This means that brand marketers and their legal teams will need to work with agency partners and other third parties to ensure this is possible.
9. Not fully aware of the implications of GDPR? You’re not alone
In a WFA member survey, 70% of respondents said that they don’t think marketers in their organisation are fully aware of the implications of GDPR for future marketing campaigns. This reveals that there is a pressing need for organisations to raise awareness of GDPR amongst marketers before the rules take effect in May 2018.
10. There’s a GDPR Guide that can help you navigate these challenges
To help marketers to get to grips with the challenges of GDPR and what it means for their day-to-day work, we have created a new GDPR Guide for Marketers, which was compiled in conjunction with global privacy and cybersecurity legal experts Hunton & Williams. You can download your free copy here.
WFA is also exploring the topic in its Digital Governance Exchange forum, a group of 200 senior in-house experts who meet regularly to discuss common challenges on privacy, data protection and message targeting. The group will be meeting for the first time in New York on 7 December with a session specifically focused on best practice around GDPR to highlight how brands can take effective action.
For more information on WFA’s work on GDPR, please get in touch with Catherine.