Blast Analytics and Marketing

Analytics Blog

Supporting Leaders to EVOLVE
Category: User Privacy

Avoid Penalties and Build Trust by Becoming GDPR Compliant

February 9, 2018

Disclaimer: I am not a lawyer and this blog post is based on my own research and interpretation of the General Data Protection Regulation (GDPR) and e-Privacy Regulation. You are advised to seek legal counsel that specializes in the GDPR and e-Privacy Regulation to ensure that your organization conforms to these regulations. GDPR is complex and interpretations vary. If you have questions or suggested clarifications, please comment and provide sources, as appropriate.

Countdown to GDPR

What is GDPR and Why Should I Care?

The General Data Protection Regulation (GDPR) is a European Union (EU) data privacy regulation that puts the customer/individual in control and it goes into full effect on May 25, 2018. The purpose is to consolidate privacy regulations across the EU.

Monetary administrative penalties of €20 million or 4% of worldwide revenue if your organization is not in compliance (even for US companies with EU customers).

Even though this is regulated from the EU, it impacts businesses from the US and other locations that are doing business with EU citizens (this also includes the UK as the Brexit has not yet occurred as of the writing of this blog post and will likely include similar legislation to protect its citizens once completed). There are monetary administrative penalties (fines) of €20 million or 4% of worldwide revenue if your organization is found to not be in compliance. Yes, even if your company is based solely in the US and has EU customers.

The full details of the GDPR are overwhelming. While you can of course read the original source and try to interpret the legal-speak, you may want to have a peak at ‘The GDPR in Plain Englishto supplement your understanding.

Not Specific to Digital Analytics

GDPR is not specific to Digital Analytics data and all data from your organization is subject to it.

GDPR is not specific to Digital Analytics data and all data from your organization is subject to it.

Thus, it is possible that your organization is already working on GDPR compliance/adherence at different levels/areas and I would advise that you become a part of the conversation within your organization.

3 Simple Points to Understand

From a Digital Analytics and Digital Marketing perspective, here are the three most important points to focus on:

  • Expanded Definition of Personal Data — The GDPR explicitly defines online identifiers (in Recital 30) such as IP addresses, cookie identifiers, GPS locations as PII. In the UK, a postal code may be so granular that it identifies one person or ten people. Name, email, phone, etc are of course still PII. Further, GDPR recognizes the concept of “pseudonymizationwhich is a practice that may include User IDs and/or encryption/hashing of data to make identification of an individual less likely without combining it with another data source.
  • Explicit Consent & Transparency — No more pre-checked boxes or inactivity to assume consent; your customers must explicitly opt-in. They must also be able to easily change their decision afterwards (opt-out).
  • Right to be Forgotten — Personal data must be erased upon the request.

Critical Definitions

The GDPR contains the definitions of a Data Controller and a Data Processor. Simply put, the Data Controller is often your own organization, since you control the purpose and which data is collected.

The Data Processor (from a Digital Analytics perspective) is often your vendor, such as Google Analytics. The Data Processor processes data on behalf of the Data Controller.

GDPR and Data Governance

GDPR and Data Governace

GDPR is part of a solid data governance practice since it deals with security of data, processes around data, and data management.

For example, what processes does your organization have when a new request is made to add a new advertising pixel onto your site? Is this reflected properly in the privacy policy and consent dialogues? Do you understand what data is sent to this vendor, how they use it, and if they are compliant as a Data Processor? Your obligation as a Data Controller puts you in the hot seat to have a full understanding of that data being sent and how it is used.

Not Prepared? You’re Not Alone

The deadline of May 25, 2018 is approaching quickly and will be here before we know it. If your organization isn’t prepared, you are not alone.

According to a recent HubSpot survey of Marketers, only 36% of them had heard of the GDPR and 22% admitted that they haven’t done anything yet to prepare for the GDPR. HubSpot’s survey also looked at consumer’s attitudes about the GDPR in the EU and found that 81% agree that the GDPR is a good thing (and 90% agreed after learning about more about the GDPR).

Organizations “should also see GDPR as an opportunity to provide what today’s consumers want…”

If your customers in the EU want this regulation, then you need to be taking action to evolve your data privacy practices to be ready (and again, the fines of ignoring this are substantial, so hopefully that is your motivator if you think you know better than your EU customers). Jeff Lunsford, CEO of Tealium, stated that organizations “should also see GDPR as an opportunity to provide what today’s consumers want — clarity and processes that put their individual rights first.” Further, it is almost guaranteed that other countries/regions will adopt similar regulation. There’s even been movement on this in the US and Asia.

Bottom Line: GDPR is happening and your organization must take action to be ahead of this to provide the data privacy controls that your consumers are asking for.

Bottom Line: GDPR is happening and your organization must take action to be ahead of this to provide the data privacy controls that your consumers are asking for.

e-Privacy Regulation Overshadowed

e-Privacy Regulations

To make matters even more complicated, the buzz word of GDPR is overshadowing the EU e-Privacy Regulation. The aim of this regulation is to go into effect at the same time as GDPR; though reports state that this is unrealistic given the lack of progress on it at this time.

While you’ll need to directly research the provisions of this regulation (and be aware that things may still change from the current draft), one of the most visible changes will be that those cookie consent pop-ups/overlays will be no more. They will have to go away as the browser settings are leveraged to indicate consent (privacy by design per the Do Not Track settings). This could potentially revive the Do Not Track (DNT) browser setting that has been largely ignored by marketers for years.

GDPR is an Opportunity for your Brand to Stand Out

GDPR Brand Opportunity

Turn this potential business threat with GDPR into an opportunity for your organization to build brand affinity. The sooner you are GDPR compliant, the more likely you will be seen as a leader that cares about your customers and you’ll gain a competitive advantage.

We expect that both EU and non-EU customers alike will use adherence to these privacy regulations (GDPR and future regulations being discussed) as a measure to size up how safe their data is and ultimately, how much they trust your brand.

If your organization is not making progress towards this solution prior to the May 25, 2018 deadline, please engage in the conversation by sharing your questions and comments below. Or reach out to our team to learn how we can help accelerate compliance.

In a follow up post, I’ll provide actionable tips for how you can become GDPR compliant using Google Analytics.

Joe Christopher
About the Author

As Vice President of Analytics at Blast Analytics, Joe leads a team of talented analytics consultants responsible for helping clients understand and take action on their vast amounts of data, to continuously improve and EVOLVE their organizations. With over 20 years of experience in analytics and digital marketing, Joe offers a high-level of knowledge and guidance to clients across all industries. He is an expert in all major analytics platforms including Google Analytics and Adobe Analytics, as well as various tag management systems such as Tealium and Adobe Launch. He also consults on data visualization, data governance, and data quality strategies. Having extensive expertise in many areas, has enabled Joe to become a well known thought leader and speak at industry events such as Tealium’s Digital Velocity series. Joe remains on the pulse of various information technology, programming languages, tools and services, keeping Blast and its clients on the leading edge.

Connect with Joe on LinkedIn. Joe Christopher has written on the Blast Digital Customer Experience and Analytics Blog.