The European Union’s GDPR (General Data Protection Regulation) is all about how companies use the personal data of those they interact with. Everywhere we go on the internet, we leave a digital footprint. That footprint consists of our demographics, our behavior, our purchases and interactions, and it has become something of great value. (As the Economist says, “personal data is the world’s greatest resource.”) As is the case with anything of great value, it creates the need to protect that data from abuse—from benign misuse to serious breaches and malicious intent.

While GDPR is activating (or activated, depending on when you read this) in the EU, it will have implications for U.S. businesses—even those with no business dealings overseas. Sorry. Any U.S. company with a website that markets their product or services on the internet needs to shore up their policies and procedures as it relates to consumer data collection.

What type of collected data is covered by GDPR?

GDPR covers most of what you collect from those you do business with or may potentially do business with. Data that is subject to GDPR includes:

• Basic identity - name, address and identification numbers 
• Weblogged data such as location, IP address, cookie data and RFID tags
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation

It’s now your job to protect EU users' data (and everyone else’s if we’re being honest)

If your data records are breached, GDPR requires that your company report any EU user’s data that has been compromised within 72 hours of the breach to the regulatory body and to users. Failure to do so will result in fines, although it is unclear at this time how those fines will be assessed to multinational companies. 

Collecting information for marketing/re-marketing purposes

In order to be compliant with GDPR, and potential future U.S. regulations, marketers must:

1. Institute consumer opt-in/opt-out permission rules.
2. Maintain a record of consent to market. (One way to achieve this is through a CRM like Hubspot, which maintains records of contacts in the activity feed.)
3. Provide a way for consumers to request to have their personal information removed, a.k.a., The Right to be Forgotten (which, coincidentally, was my 1990 prom theme).

This means that the difficult, but attainable “double opt-in” method is the best way to ensure you have the full consent of the consumer, and that you must have the processes in place for them to opt-out and be removed from your system entirely. This is good practice for email marketing, anywhere.

In a double opt-in, the user may choose to opt-in to communications, via your website, and subsequently gets an email that asks them to confirm their consent. In the U.S., you will be best served by a confirmation email that allows users to either confirm that they are opting in, or at minimum, allows them to opt out or request for their information to be deleted.

Targeted Digital Marketing Efforts

If your company, in the scope of marketing activities, targets a user in the EU, that data is subject to GDPR. Normal every day marketing (non-targeted) such as SEO, is not considered subject to the regulations. If a consumer in the EU searches the internet for a product or service and is served up your company’s website, in your country of origin’s language, then it is NOT subject to GDPR. However, if you offer a version of the site in the searcher’s language and/or your site references EU clients and customers, then the page IS subject to GDPR, as it is considered a targeted effort.

Example of how to comply with GDPR in targeted marketing:

If a U.S. company is planning to launch campaigns in an EU country (let’s say Germany), and plans to collect the email address or data of visitors, then certain rules must be met.

• Notification: users must acknowledge that they know and understand what the company will do with their data (see collecting information, below).

How long can data be stored?

The regulation states that data records should be kept for no longer than is needed for the purposes for which the data has been processed. How do you determine how long that is? While the regulation is somewhat vague, it is best to determine what your data retention policy is and establish that time frame within your privacy policy. You must also determine how you will provide data records to a user if they are requested. While this article pertains mostly to marketing, this can apply to other types of data, such as employees, clients or contractors.

How far should you go, if you are not doing business in the EU?

A lot of GDPR is solid security protocol. You should have a secure site that keeps your contacts’ records safe. You should use permission-based communications processes. You should also protect your company from exposure and risk by implementing GDPR stipulations for any EU users. While it’s unknown at this point how aggressive the regulations will be carried out, examining your data, setting policies and procedures and ensuring the data you collect is collected and treated in a manner compliant with the spirit of GDPR should be a priority.

What else should you be doing? View our GDPR Checklist to make sure your privacy policy is up to snuff.*

Need help assessing your site and data collection methods, or crafting your compliance strategy? Contact us. (Every company will be different. If we don’t have the answers, we’ll help you find them.) 

*Disclaimer: we all went to school for marketing. We are not legal experts and strongly recommend you contact an expert in this area to be safe with your data collection practices.