By Emily Drumm, Senior Paid Media Specialist
The European Parliament approved the GDPR in April 2016 with a compliance deadline of May 25, 2018. It has been called the most important change in data privacy regulation in 20 years.
The EU General Data Protection Regulation (GDPR) was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
This is all happening across the pond, so you might wonder what kind of impact this had around the world and in the US? An important note is that the scope of the GDPR has an extended jurisdiction that applies to all companies processing personal data of EU residents, no matter where the business is located. To track behavior or manage the data of a resident of Europe…the company must comply to the GDPR or face a fine of 4% of annual global turnover or 20 Million Euros (whichever is greater).
The GDPR was created to protect the consumer who has concerns related to personal data privacy and security. You may have already seen rumblings about the GDPR in headlines or noticed that Facebook added an alert to mobile users everywhere.
So…What is Personal Data?
Personal Data is any information related to a person that can be used to identify that person. This could be a name, picture, email address, bank information, social media or networking posts, or medical information. Important for marketers to note this also includes computer IP addresses, cookies, remarketing & device ID’s.
While it is important to residents and consumers in Europe to understand how their private online information is being used the GDPR has also left some businesses and marketers wondering how this will impact their businesses in the US? We have listed key directives of the GDPR for businesses and digital marketers to note:
- Consent – Personal Data cannot be used without customer consent. Consent must be actively given and cannot be implied.
- Data Rights
- Right to Access & Portability – Users have the right to access their data as being used by a company or data collector and can request an electronic copy of their personal data. They also have the right to know where it is being used and for what purpose. Users can transmit their collected that data to another data collector.
- Right to be Forgotten – Users can request to be forgotten or permanently erased at any time. This means data must stopped being passed and processed and any third parties must also stop processing the data.
- Record Keeping Requirements – Any entity that collects or processes personal data must have a safe a secure way of keeping that data. Failure to protect personal data can result in fines or penalties.
- Breach Notification – Notification of breach of personal data is required and must be given within 72 hours of first having become aware of the breach.
How can Businesses & Advertisers Comply with GDPR?
Advertisers that collect data on their own sites or apps are responsible for notifying users and obtaining consent for data collection. Examples of this data include pixels for remarketing or conversion ID’s and other cookies. If additional information is captured through advertising on other properties such as a search engine like Google then Google must request consent for their own data collection purposes. Below are a few other tips on how to ensure your business is GDPR compliant:
- Be Transparent by asking for consent for any data you collect on your users. This is especially important in marketing when collecting cookies, IP addresses or device ID’s.
- Employ Strong Data Security Policies and update them frequently.
- Give Users the Option to Opt-Out