Are you ready for the GDPR? A guide for advertising agencies
by Jerelle Gainey and Debra Wang, 15 Mar 2018
The General Data Protection Regulation (GDPR) is one of the most expansive pieces of privacy legislation in history. Ultimately a good thing for users and enterprises, it also comes with a new set of challenges for the marketing industry to educate themselves on and adopt processes, policies and procedures to insure compliance and protection for European Union (EU) consumers.
What is GDPR?
The GDPR is a game-changing digital privacy regulation that will go into effect on May 25, 2018. It standardizes a wide range of different privacy legislation across the EU into one central set of regulations with the goal of protecting users in all member states. Most importantly, because it is legally binding, companies cannot ignore or opt out.
The purpose of the GDPR is to ensure that EU users have greater control over their personal information; including the right to actively consent to every use of personal data, the right to limit that use, the right to be forgotten, the right to have their data portable and the right to seek damages should they suffer from misuse or breach of their data.
If you’re based outside the EU, but your client or company targets users in the EU and collects personal or behavioral data from these users, your company is still subject to compliance with the requirements of the GDPR. It is important to note that the GDPR is an evolution of existing EU data protection policies — not a complete revolution — which means all organizations will need to rethink their data practices, and keep up as it continues to evolve.
Currently, fines are set at up to €20 million or 4% of global revenue, and there are precedents set when companies were caught breaching regulations and fined:
- Example 1: Flybe – Convicted of breaking the law after emailing people who had clearly opted out.
- Example 2: Honda – Preemptively tried to ask consumers if and how they would like to continue to receive marketing messages from them, but due to an outdated database, several consumers had already opted out.
The Elements of GDPR
So, what actually makes up GDPR and what consumer data does it protect?
From a corporate standpoint, all companies will now be required to:
- Include privacy settings into their digital properties, otherwise known as “privacy by design,” forcing companies to be proactive vs. reactive
- Regularly conduct privacy impact assessments
- Enable clearly defined methods of seeking user consent to use their data
- Document how the company is using personal data
- Adhere to data breach communication protocols
- Pre-ticked boxes or opt-out (instead of opt-in) for marketing are no longer allowed
What Consumer Data Is Protected?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Mobile phone number
- Drive/passport number
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Another built-in element is the 72-hour clause. This is the amount of time before companies must notify their supervisors of a breach — and the public, if consumer data has also been exposed. There’s still some grey area in terms of what constitutes an ‘undue delay’, but this makes companies accountable for notifying consumers so that passwords can be changed or credit protection installed.
In short, there are a lot of details and attempts at summarizing the 200-page document of reform around the web, and it’s in every company’s best interest to reach out to legal professionals to ensure that they’re in compliance.
GDPR in PracticeWhat does this mean for everyone? And how will it impact how companies do business?
For everyone in the EU, it means more transparency and assurance that companies WILL be more organized and stringent in how their data is being stored, protected and processed. Consumers will no longer be defaulted to opt in to all mass marketing, and similar to security/privacy options, the most stringent security settings will now be the default vs. some of the more open public settings. This should help manage the volume of spam and also avoid the annoying occurrence where they’ve unsubscribed from a newsletter, only to find it pinging in their inbox for another two weeks (the only caveat could be in situations of an unexpected email would be where a user refers a friend.)
For businesses it gets a little more intricate with how they retain and remarket to customers. Third party anonymized data is still allowable, so for most advertising targeting practices, like audience targeting or demand side platforms (DSPs), it should remain relatively the same. But how a company gathers customer emails and utilizes it for other practices, like email marketing or Google’s Customer Match, could need an audit or retooling of the entire process and strategy. Similarly, social media that can attribute specific attributes or behaviors to an exact user profile may also find themselves in GDPR grey zones.
- Understandably, any concerns surrounding drop off rates are warranted, and marketers may see their customer pools shrink overnight. This can also be interpreted as removing wasted impressions from consumers who have already stopped interacting and/or lost interest with their brand. What’s left is a far more interested and profitable audience that can be cultivated and retained.
For advertising agencies, there is also a sense of responsibility and awareness to help our clients ensure that their data is being held to the new standard. This is especially true if we know their customer base crosses over into the EU.
How to Prepare?
Hubspot performed a survey in Nov. 2017 and found that as many as “36% of marketers had not even heard of the GDPR yet and 15% of companies have done nothing to become compliant.” If you happen to fall into this category, you’re not alone, and we’ve got a guide to help!
Education. The first and most important step is to seek education. Hopefully this article is great starting point, but there are many resources available including the GDPR website to educate you on the scope, ramifications and requirements of the regulation.
Engage all stakeholders. You should make sure everyone in the business understands the regulation, how it impacts the business and what steps the organization will be taking to maintain compliance.
Assign data protection personnel and/or a trained professional team. You may want to assign team members or hire consultants who are tasked with ensuring GDPR compliance for the organization. Companies like Secureworks or Third party IT reports like the annual Gartner Magic Quadrant, help evaluate the different scopes and strengths of industry network security companies.
Conduct a risk assessment. You should audit the data you’re collecting on EU citizens, determine how they data is being used and create data maps to establish processes for mitigating potential compliance issues or establishing new data capture practices.
Create a data protection plan. If your company doesn’t already have a data security policy, you should begin working to put one in place and confirm that it is in compliance with the GDPR requirements.
Privacy Shield framework. Businesses should seek out certification under Privacy Shield standards to ensure their operations are in compliance before the GDPR goes live.
In an age where offline and online interactions increasingly intersect, it’s inspiring to see a collective consensus agree on a “common sense” law. Personal data is a valuable resource to be protected and we will all benefit from this law.
Similarly to how we wonder why the automobile industry didn’t mandate seat belts from the very beginning, we may look back and wonder why we were so trusting and naïve, operating in the digital realm without basic digital consumer data protection.
Unsure if your advertising or marketing plans would be up to snuff?Contact us!
Get updates; just enter your email below. Simple as that.
Q&A: Experts dish on the future of paid search
by Chelsea Huston, 06 Mar 2018
Why content moments are the key to understanding content marketing
by Ben Heiser, 28 Feb 2018
Why bad advertising is a form of bad manners: lessons from a Ugandan storefront
by Scott Johnson, 20 Feb 2018
Retailers and the lower funnel trap
by David Randolph, 06 Feb 2018
What’s the body language of your content really saying?
by Zoë Courtman-Smith, 31 Jan 2018
10 things to look for in enterprise SEO software: 2018 tool review
by Greg Lee, 30 Jan 2018
The top 3 PPC marketing search engines of 2018
by Debra Wang and Vladimir Bradic, 26 Jan 2018
How new changes to Google Grant will affect your nonprofit
by Shelby Huckeba, 19 Jan 2018
Latest Giving Tuesday campaign ideas from marketing-minded nonprofits
by Adam Binkley, Jay Reyes and Ruby Wustrak, 18 Jan 2018
State of Social in 2018
by Ashley Reed, 17 Jan 2018
Top 7 posts of 2017
by Jamie Wigington, 17 Jan 2018
How should SEM experts prepare for voice search? [INFOGRAPHIC]
by DRUM, 17 Jan 2018
7 Digital trends that will change how you market in 2018
by Kimberly Honore, 17 Jan 2018
What advertisers need to know about Apple's intelligent tracking prevention
by Jerelle Gainey, 06 Oct 2017
Using direct mail to reactivate online customers
by Rosann Bartle, 22 Sep 2017
Bing shop ‘til you drop
by Hailee Sosnowski, 14 Aug 2017
Finding a web design process that works
by Todd Chambers, 02 Aug 2017
3 Commandments for creating incredibly engaging content
by Ben Heiser, 02 Aug 2017
Twitter ads and targeting techniques that work
by Annie Green, 27 Jul 2017
5 benefits of paid social advertising
by Karina Khemani, 14 Jul 2017
Oh snap! Snapchat just upped their ad game
by Traci Hendrix, 12 Jul 2017
Dying is easy, comedy is hard
by Scott Johnson, 10 Jul 2017
Marketing and the meteor Test
by Scott Johnson, 05 Jul 2017
The value of local SEO (Even when your customers aren't)
by Gregory Lee, 23 Jun 2017
The best Facebook ad types and targeting options for driving sales
by Annie Green, 15 Jun 2017
Linking online marketing to offline consumer behavior
by Heather Roach, 08 Jun 2017
To push a non-profits mission, you have to push with passion
by Nicole Bendel, 05 Jun 2017
7 ways B2B marketers can find success in social media
by Traci Hendrix, 31 May 2017
Google’s data-driven attribution: what you need to know
by Kimberly Honore, 23 May 2017
The skinny on Yahoo's native search retargeting feature
by Shelby Huckeba, 15 May 2017
Why you should always include brand search in your digital strategy
by Katherine Jianas, 04 May 2017
How to use content marketing to finally unify marketing strategies
by Gregory Lee, 16 Apr 2017
5 things we learned at Google’s “Search in 2017 & Beyond” event
by Kimberly Honore, 05 Apr 2017
To sell to the ego, you gotta talk to the id.
by Zoe Courtman-Smith, 04 Apr 2017
Social listening inspires smarter business strategies
by Alicia Trahan, 03 Apr 2017
Brand safety: how programmatic partners protect our clients' brands
by Brittany Altman, 31 Mar 2017
How inactive subscribers can affect deliverability
by Billy McNair, 27 Mar 2017
5 reasons to Insist on 1st party data for CRM targeting
by Samantha Halpin, 22 Mar 2017
Conversation, not content, is king
by Scott Johnson, 15 Mar 2017