A Note to Our Clients: How the EU General Data Protection Regulation May Affect You
As a global digital marketing agency, with offices in five countries and clients in 10, Shaw + Scott works to keep up with changes to laws and regulations in all the places our clients do business.
It doesn’t matter if you have 100 employees or 100,000: If you have global customers, you should be keeping an eye on regional data regulations, and we want to make sure you’re aware of upcoming changes in Europe.
The new EU General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. These regulations can affect your business regardless of whether you hold an office in the European Union. British companies will still have to comply with these rules after Brexit, because the United Kingdom will implement a new law with the same regulations put forward in the GDPR. Companies based in the United States, without a physical or fiscal presence in the EU, aren’t exempt from the new law either. If your company holds data for EU citizens, you could also face fines for non-compliance.
The good news is, many of the new requirements are already considered best practice. As data controllers, marketers are basically just borrowing the personal information of customers and prospects, and customers should have the right to adjust that data or opt out of communications at any time. Marketing teams need to obtain explicit consent to speak with customers and let them know how, when, and why they’ll be contacted. Once customers give their permission, marketers should ensure communications are timely and engaging.
Below are specific steps to make sure you are compliant with GDPR:
Speak with your attorney. The Shaw + Scott team members are expert marketers, but we’re not lawyers. Have your legal counsel and Data Protection Officer, or whomever is in charge of your data policies, review the new regulation and make sure your data policies are sufficient. Companies who contact EU subjects and are not compliant with the new regulations can face fines of up to 4% of their worldwide annual turnover or €20 million, whichever is higher.
Keep your data clean. Remove any previously opted out or unengaged EU data from your database prior to the May 25 deadline. You will also need to remove unengaged data from your systems on a regular basis moving forward – decide on a time limit for holding data on people who no longer engage with your communications, and then delete that data when the limit passes.
Always keep a paper trail. Keep track of what personal data you hold, when and how you obtained it, and with whom you share it. Make sure you keep a record of any time a client or prospect changes their permission status for each channel.
Collect only the data you need, and use the data you collect. Collect only the data you know you will use to send personalized, relevant marketing messages. You will need to outline for the recipient why you are asking for this data, and how you plan to use it, within one month of obtaining their data. Your customers will also be allowed, under the new regulation, to ask for an electronic copy of the data you keep on them. One global Shaw + Scott client is making this process easier by providing a link in their emails that will allow a customer to request an automatically triggered system email with all the user’s currently stored data.
Obtain permission openly and explicitly. Forms with pre-checked boxes will no longer count for opt-in purposes – you must use an unchecked box that requires a recipient to give their explicit permission. You must also obtain consent for each channel that you plan to use for communications.
Consider a double opt-in. Send a follow-up email to clients who give you permission to confirm that their email is correct and that they want to receive your communication. This is a great way to make sure you have clean data and that your customer is engaging with your brand. One of Shaw + Scott’s UK clients is considering doing this with consumer data collected in store, because verbal consent will not count as ‘permission’ in a post-GDPR world.
Protect your data. You will be required to notify the Data Protection authority in Europe within 72 hours of any data breach if EU data has been involved.
The full text of the new regulation can be found here. If you need help understanding how to review your data, set up new data collection processes, or automate double opt-in and triggered programs, please contact us.