Analytics Blog
Avoid Penalties and Build Trust by Becoming GDPR Compliant
Disclaimer: I am not a lawyer and this blog post is based on my own research and interpretation of the General Data Protection Regulation (GDPR) and e-Privacy Regulation. You are advised to seek legal counsel that specializes in the GDPR and e-Privacy Regulation to ensure that your organization conforms to these regulations. GDPR is complex and interpretations vary. If you have questions or suggested clarifications, please comment and provide sources, as appropriate.
Countdown to GDPR
What is GDPR and Why Should I Care?
The General Data Protection Regulation (GDPR) is a European Union (EU) data privacy regulation that puts the customer/individual in control and it goes into full effect on May 25, 2018. The purpose is to consolidate privacy regulations across the EU.
Monetary administrative penalties of €20 million or 4% of worldwide revenue if your organization is not in compliance (even for US companies with EU customers).
Even though this is regulated from the EU, it impacts businesses from the US and other locations that are doing business with EU citizens (this also includes the UK as the Brexit has not yet occurred as of the writing of this blog post and will likely include similar legislation to protect its citizens once completed). There are monetary administrative penalties (fines) of €20 million or 4% of worldwide revenue if your organization is found to not be in compliance. Yes, even if your company is based solely in the US and has EU customers.
The full details of the GDPR are overwhelming. While you can of course read the original source and try to interpret the legal-speak, you may want to have a peak at ‘The GDPR in Plain English’ to supplement your understanding.
Not Specific to Digital Analytics
GDPR is not specific to Digital Analytics data and all data from your organization is subject to it.
GDPR is not specific to Digital Analytics data and all data from your organization is subject to it. Click & Tweet!
Thus, it is possible that your organization is already working on GDPR compliance/adherence at different levels/areas and I would advise that you become a part of the conversation within your organization.
3 Simple Points to Understand
From a Digital Analytics and Digital Marketing perspective, here are the three most important points to focus on:
- Expanded Definition of Personal Data — The GDPR explicitly defines online identifiers (in Recital 30) such as IP addresses, cookie identifiers, GPS locations as PII. In the UK, a postal code may be so granular that it identifies one person or ten people. Name, email, phone, etc are of course still PII. Further, GDPR recognizes the concept of “pseudonymization” which is a practice that may include User IDs and/or encryption/hashing of data to make identification of an individual less likely without combining it with another data source.
- Explicit Consent & Transparency — No more pre-checked boxes or inactivity to assume consent; your customers must explicitly opt-in. They must also be able to easily change their decision afterwards (opt-out).
- Right to be Forgotten — Personal data must be erased upon the request.
Critical Definitions
The GDPR contains the definitions of a Data Controller and a Data Processor. Simply put, the Data Controller is often your own organization, since you control the purpose and which data is collected.
The Data Processor (from a Digital Analytics perspective) is often your vendor, such as Google Analytics. The Data Processor processes data on behalf of the Data Controller.
GDPR and Data Governance
GDPR is part of a solid data governance practice since it deals with security of data, processes around data, and data management.
For example, what processes does your organization have when a new request is made to add a new advertising pixel onto your site? Is this reflected properly in the privacy policy and consent dialogues? Do you understand what data is sent to this vendor, how they use it, and if they are compliant as a Data Processor? Your obligation as a Data Controller puts you in the hot seat to have a full understanding of that data being sent and how it is used.
Not Prepared? You’re Not Alone
The deadline of May 25, 2018 is approaching quickly and will be here before we know it. If your organization isn’t prepared, you are not alone.
According to a recent HubSpot survey of Marketers, only 36% of them had heard of the GDPR and 22% admitted that they haven’t done anything yet to prepare for the GDPR. HubSpot’s survey also looked at consumer’s attitudes about the GDPR in the EU and found that 81% agree that the GDPR is a good thing (and 90% agreed after learning about more about the GDPR).
Organizations “should also see GDPR as an opportunity to provide what today’s consumers want…” Click & Tweet!
If your customers in the EU want this regulation, then you need to be taking action to evolve your data privacy practices to be ready (and again, the fines of ignoring this are substantial, so hopefully that is your motivator if you think you know better than your EU customers). Jeff Lunsford, CEO of Tealium, stated that organizations “should also see GDPR as an opportunity to provide what today’s consumers want — clarity and processes that put their individual rights first.” Further, it is almost guaranteed that other countries/regions will adopt similar regulation. There’s even been movement on this in the US and Asia.
Bottom Line: GDPR is happening and your organization must take action to be ahead of this to provide the data privacy controls that your consumers are asking for.
Bottom Line: GDPR is happening and your organization must take action to be ahead of this to provide the data privacy controls that your consumers are asking for. Click & Tweet!
e-Privacy Regulation Overshadowed
To make matters even more complicated, the buzz word of GDPR is overshadowing the EU e-Privacy Regulation. The aim of this regulation is to go into effect at the same time as GDPR; though reports state that this is unrealistic given the lack of progress on it at this time.
While you’ll need to directly research the provisions of this regulation (and be aware that things may still change from the current draft), one of the most visible changes will be that those cookie consent pop-ups/overlays will be no more. They will have to go away as the browser settings are leveraged to indicate consent (privacy by design per the Do Not Track settings). This could potentially revive the Do Not Track (DNT) browser setting that has been largely ignored by marketers for years.
GDPR is an Opportunity for your Brand to Stand Out
Turn this potential business threat with GDPR into an opportunity for your organization to build brand affinity. The sooner you are GDPR compliant, the more likely you will be seen as a leader that cares about your customers and you’ll gain a competitive advantage.
We expect that both EU and non-EU customers alike will use adherence to these privacy regulations (GDPR and future regulations being discussed) as a measure to size up how safe their data is and ultimately, how much they trust your brand.
If your organization is not making progress towards this solution prior to the May 25, 2018 deadline, please engage in the conversation by sharing your questions and comments below. Or reach out to our team to learn how we can help accelerate compliance.
In a follow up post, I’ll provide actionable tips for how you can become GDPR compliant using Google Analytics.