Unless you’ve been taking a break from social media lately, posts about the EU’s General Data Protection Regulation (GDPR) have probably been blowing up your news feed (now that the clock is ticking for the May 25 implementation date).
While EU businesses and enterprise-level organizations around the globe have had this legislation on their radar for a while now, small businesses and content creation consultants in the good old US of A have a lot of catching up to do.
While I’m neither a lawyer nor a GDPR expert, I’ve learned a heck of a lot over the past year from digital policy consultant Kristina Podnar. Although we’ve determined that our shared last name is a matter of coincidence rather than ancestry, we’ve become friends and colleagues, and she’s taught me everything I know about this supposed Legislation of Doom everybody’s buzzing about.
So, while I won’t be offering specifics on what’s right for you and your company, what I can do is shine a light on some conversations you should be having with your executive leadership and legal counsel.
Yeah…that was my initial reaction, too. Here’s the short version:
The GDPR is an EU law that addresses all uses of personal data. The EU made a definitive, unequivocal decision that consumer data belongs to the consumer. Businesses can only borrow it — and, even then, only with the consumer’s explicit permission and under strict guidelines.
What is considered “personal data”?
Just about anything that, whether alone or in combination with other data points, could be used to identify an individual. In addition to the obvious things like name, address, government ID numbers, etc., it also includes IP addresses as well as data gleaned from cookies, apps, social media platforms, etc.
Whew…good thing we’re not in the EU.
The GDPR isn’t confined by geographic borders. Any company that collects, stores, processes, etc., the data of EU residents or citizens is bound by the law, even if the company has no physical presence in the EU.
Want some examples?
- Your email list contains any addresses ending in country codes like .eu, .uk, .ge, etc.
- People can access your website from within the EU
- You use a third-party vendor with servers in the EU (including a cloud storage solution)
- You employee an EU citizen (even if that person currently lives in the US)
Don’t be too quick to assume that the law doesn’t affect you just because you’re in the U.S. It’s more likely that it does, even if it’s due to a single email address lurking in your database.
Top 3 things U.S. marketers and SMBs need to check right now
If you’re not already GDPR compliant, you’re probably not going to get there by May 25. But you can make a start, and most experts believe EU regulators will look kindly upon companies that make a good-faith effort (especially outside of the EU).
The best way to start is to take a look at your marketing practices and identify areas where you may be non-compliant.
Figure out what data you have and where it is
The GDPR requires you to know what data you have, where it’s located, and, in addition, who has access to it. The law also guarantees EU residents/citizens the right to request a copy of their data, which they can then use to correct inaccuracies or even take to a competitor if they’re not happy with your service. They also have the “right to be forgotten,” which means that, upon request, you have to delete all of their information.
This is one area where small businesses may have an edge on large corporations that have to sift through siloed databases, legacy systems, corporate bureaucracy, etc. But even if you’re lucky enough to have everything in one database or CRM platform, it’s still not quite that simple. You also have to account for data backups, paper records, and even employee emails that might contain customer information.
The last thing you want is to be unable to accommodate a consumer request that’s guaranteed by the GDPR. If somebody wants to know what data you have on them, and you can’t provide an answer because you don’t know where their data is, they can file a complaint.
Decide what data you really need
Many businesses have taken a “more is better” approach to customer data. After all, you might need it someday…right?
If that’s been your approach, it’s time to reassess. Between data breaches and regulations like the GDPR, every data point represents both risk and opportunity — and it’s your job to find the sweet spot.
- The more personally identifiable data you have on a consumer, the more damaging a data breach can be.
- The GDPR states that you need a legitimate business reason for each piece of data. If all you’re doing is sending consumers an email newsletter, for example, you probably don’t need their physical addresses.
- That goes for former customers, too. Unless there are legal or regulatory reasons to keep that information, you’d be better off deleting it.
“Nice to have” consumer data is a myth. You either have a legitimate business need for it, or you don’t. If you don’t, delete it. (And remember that, “Oh, I forgot that was there,” isn’t a good excuse.)
Your privacy and consent statements
The EU wants consumers to know what data you have on them as well as what you do with it. And they also want them to be able to figure it out without a lawyer.
Make sure your privacy statements are specific, easy to read, and easy to access. Using convoluted, legalistic language to camoflauge what you’re using consumer data for (or just because it seemed too hard to write it simply) won’t cut it.
Most businesses already get some type of consent from their customers, but the GDPR mandates separate consent for each use of their data. If you sell a product online and need to ship it to the customer, for example, it’s reasonable to request name, address, email, and phone number. But you can’t use that information later to send catalogs or emails, or call to make a sales pitch, without getting explicit consent for each of those activities.
Don’t collect a customer’s data for one reason and use it for another without explicit consent. That means no more taking the email addresses you collect from people who want to access content downloads or upgrades and automatically adding them to your email list. And ditch those opt-out forms where the box giving consent is already checked. Consumers have to actively opt in.
Your approach to user-generated content
Many brands rely on user-generated content, but it’s important to take another look from the perspective of data privacy and GDPR compliance. Sure, you can rewrite your submission forms so that customers have to give consent before making their submissions, but there’s more to it than that.
That’s because there’s a big difference between usage rights and privacy rights. Let’s take a user-submitted photograph as an example:
- You need to obtain usage rights from the person who took the photo. It’s their intellectual property, they own it, and just because they shared it with you doesn’t mean you can share it with the world. You need explicit permission. This is especially important when you include user-generated content in marketing campaigns. A customer who willingly shared a photo on Instagram might have second thoughts if it becomes the centerpiece of your next campaign.
- You need to obtain consent to use personal data (in this case, image and likeness) from the people in the photo. The photographer can’t grant you permission to use someone else’s image and likeness. This can be particularly problematic for crowd shots.
There are a few things to be aware of even though they don’t fall neatly into the “marketing and GDPR bucket”:
- Your company will need to set up processes for handling consumer inquiries about their data and how you use it as well as for addressing requests to delete data.
- While not precisely addressed under the GDPR, this is a good time to review website accessibility. Although many people in the U.S. don’t realize that the Americans with Disabilities Act applies to digital spaces as well as to physical ones, there have recently been a number of high-profile lawsuits over this issue.
- While privacy issues are one of the most obvious concerns about user-generated content, it’s also important to be aware of potential problems with trademarks, especially with crowd shots. If the photo includes the logos or names of other brands — on t-shirts, hats, signage, even cups — publishing them on your website could constitute trademark infringement.
I’ll wrap this up the same way I started it: I’m not a lawyer, and I wouldn’t even attempt to advise you on how to handle specific situations. I just wanted to shine a light on some of the conversations you should be having with company leaders and legal counsel as the GDPR implementation date draws closer.
I also want to end things on an upnote:
- It seems unlikely that EU regulatory officials will kick things off by looking for violations made by small U.S. companies. Unless somebody files a complaint (class action suits are another possibility), you should have some time to get your digital house in order. Even then, most people expect that being able to demonstrate a good-faith effort will carry a lot of weight.
- The primary purpose of the GDPR is not to generate revenue from fines and penalties. The purpose is to provide more privacy and a better experience for consumers. That, in turn, will deliver a competitive advantage to businesses that commit themselves to putting customers, and their privacy, first.
One last thought…getting consensus on the changes you need to make to become GDPR compliant likely won’t happen overnight. But that’s OK — what’s important is to make your plan and to take it from there, one step at a time.
Editor’s note: This post was written by nDash community member, Patti Podnar. Patti is a professional writer focused on a wide range of topics, including marketing, construction, technology and others. To learn more about Patti, or to have her write for your brand, check out her nDash profile page.