The EU General Data Protection Regulation (GDPR) is upon us, and most companies are still woefully unprepared. But beware, failure to comply leaves firms everywhere in the world vulnerable to heavy penalties.
Very likely, all the news about GDPR went into the wrong silo of your company, because it is inherently a marketing issue, not a compliance issue.
What you need to know
- GDPR comes into effect in March 2018
- It is an update to the 1995 EU directive 95/46/c
- GDPR requires businesses around the world to protect the personal data and privacy of EU citizens for transactions that occur within EU member states
- If you have EU customers, you are affected
- Non-compliance carries heavy fines
Which businesses are affected?
- Companies with a legal presence in an EU country.
- Companies without a legal presence, but in possession of personal data of EU residents (Yes that means your newsletter and customer database!)
- The distinction between companies larger than 250 employees and smaller is effectively cosmetic. If you have fewer than 250 employees, you will still be affected.
How much can we get fined?
The GDPR allows for penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher
What do you need to do?
Unfortunately for compliance departments, the GDPR isn't exactly very clear on details. It takes a very comprehensive view of personal information. Certainly affected are names, addresses, ID numbers, but also IP addresses and other items not immediately obvious, such as
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
In short, any information that can be used to identify a person. Especially if you have acquired that data "without the express consent" of the person, you are liable to penalties in case of violation.
What must I do?
GDPR requires that companies employ a reasonable level of protection, without defining reasonable. In a knee-jerk reaction, compliance departments might just tell marketing and sales departments to stop what they are doing.
I only have distributors in Europe, am I affected?
Very likely yes. According to EU legislation, sole distributors act on behalf of their client, and the protection of customer data is the job of the supplier, not the distributor (unless otherwise stipulated in the distribution contract).
We are just a B2B business, does this affect us?
Yes, it does. Very much so. Because you have client relationships too. Your B2B customers are also people.
So, what do we need to do?
First of all, find out who is in charge and who has the expertise to deal with this. GDPR requires organizations to have a dedicated chief privacy or data officer. If you don’t have anyone in this role, you need to hire someone or get someone certified. Ideally, it should be a trusted employee with more than just a legal or compliance background, but someone who also understands marketing.
Secondly, make sure you understand your data, what is in it, where you store it, and most importantly, how you capture it. If necessary, hire an agency to do a data audit. Once you have done this, make sure you have a database management system in place to avoid future slip-ups.
Thirdly, you'll need to add the necessary language to your website, newsletter signup, vendor agreements, and so on.
Make sure that throughout this process the marketing team is involved, because at the end of the day, GDPR is not a compliance issue, but a marketing issue.
GDPR is a marketing issue, not a compliance issue
Which brings us to the main point: GDPR is a marketing concern. Compliance departments have a strong incentive to send out warnings and stop sales and marketing teams continuing their traditional marketing because of uncertainty.
Marketing departments around the world will be told by legal "you can't do that anymore!"
GDPR is a great opportunity
Which is a perfect opportunity for companies to finally embrace content marketing and inbound marketing (see Inbound Marketing Explained), where potential clients actively sign up and express a clear wish to receive information and engage with your brand.
That means a small update to your website and marcom materials and probably a few workshops for your marketing department to finally get them on board with non-invasive marketing techniques.
Overall, GDPR is a good thing
GDPR - and future regulations in other countries - will force companies to improve data management, abandon outdated disruptive marketing practices, cut down on spammy advertising, and develop new products and services that could help them be more successful. As such it is a great opportunity more than a threat.
It's time to learn some inbound marketing.