Even though the General Data Privacy Regulation (GDPR) is designed to protect personal data of individuals throughout Europe, inbound marketers in the U.S. still need to pay attention. This massive update to the EU’s existing Data Protection Directive contains a number of regulations that can affect the way you handle and process the personal data of any EU citizens in your database.
The new regulations go into effect May 25, 2018, promising hefty fines for companies that don’t comply. Since you can’t very well comply with requirements if you don’t know what they are, it’s essential for your entire marketing team to familiarize itself with the GDPR.
Six Key Principles of the GDPR
The legislation lays down a broad range of requirements for companies that collect or process personal data, including compliance with six key principles.
When handling and using personal data, a company must:
- Be transparent, fair and lawful, clearly alerting people about how it’s being used and a “lawful basis” for processing it.
- Limit processing to specified and legitimate purposes, without re-using or disclosing data for purposes other than those for which it was originally collected.
- Minimize collection and storage, focusing on the least amount of relevant data needed for its intended purpose.
- Ensure its accuracy while allowing it to be amended or erased, giving people the chance to make corrections or deletions.
- Limit storage, retaining data for only the set amount of time needed to achieve purpose for which it was collected.
- Ensure its confidentiality, integrity and security, with technical and internal security measures.
Assess Your Existing Practices
One of the best ways marketers can prepare for the GDPR is to review current practices to see which may need adjusting to align with new website privacy regulations. These practices apply to all stages of personal data management, from initially collecting the data to eventually deleting it after it’s used for its purpose or upon termination of the customer relationship.
Collecting and Using Data
As a company that controls the data, or data controller, you need to provide full transparency when collecting personal data. This means you must let individuals know what the data will be used for, and they must give their consent for its use for that particular purpose.
If at any time you want to use the data for a different purpose, you must obtain additional consent from the individual. The individual must likewise provide consent before their data is shared or used for another purpose with a third party vendor, such as a training company that runs an online course on behalf of your company.
Limiting the Amount of Data
Under the GDPR, you’re only allowed to collect data that is directly related to its intended purpose. Collecting information that’s deemed unnecessary or irrelevant can count as a GDPR violation.
The GDPR has strict security provisions that must be followed. Certain types of sensitive data, such as biometrics and data about children, may need to be encrypted to protect it and keep it separate from other types of data in your system. Only employees authorized to use sensitive data for its intended purpose are allowed to have access to it.
Editing and Deleting Data
The GDPR allows individuals to request corrections, changes, or deletion of their data at any time, and you’ll need a way to access the data to make the requested amendments.
When deleting data, either by request or when it’s no longer needed for its intended purpose, you’ll need to send a confirmation that the data has been deleted. You’ll also need to ensure the data is deleted from your own system as well as any systems used by vendors that process your data.
Ensuring ‘Data Protection by Design and Default’
A policy of “Data Protection by Design and Default” is another element of the GDPR. That means your team needs to consider the impact any marketing initiative or project may have on a person’s privacy.
Companies must keep records that prove compliance with the GDPR, such as customer consent to use their personal data. Businesses must likewise make sure they have policies in place that outline how personal data can be collected and used.
View it as an Opportunity, Not Just a Hassle
Complying with the GDPR is going to take some work, but it’s also a prime opportunity to make your business really shine. Companies that readily comply with GDPR regulations show they truly care about their customers. The core concept behind the GDPR is that consumers should be in control of their own personal data.
Marketers who embrace this concept will engage in marketing tactics that show respect for personal data while underscoring the consumers’ right to be in control of it. Sharing this mindset with consumers puts you in a position to develop relationships based on trust, which is the foundation of any truly meaningful relationship no matter what regulations are in place.