If you’ve been processing European consumer data, working with European partners, or are considering expanding operations into Europe anytime soon, then you’ve probably heard of the European General Data Protection Regulation (EU GDPR). Adopted by the EU Parliament in 2016 and becoming enforceable across the EU in May 2018, GDPR replaces the long-standing Data Protection Directive of 1995.
It is causing quite a stir among marketing, tech, and data companies because it materially changes the requirements for collecting, managing, and using EU consumer data.
So what does the EU GDPR mean for you? What does it mean for brands that leverage a wide variety of tech and data sources? Even if you don’t do business in Europe, you’re likely working with someone who does.
Getting Your Data in Order
The underlying purpose of the EU GDPR is to set a minimum data protection standard across Europe that gives EU consumers more control over their personal data. GDPR, in fact, expands the definition of personal data to cover any information that refers to a single individual, including “pseudonymous data” like cookie IDs and hashed identifiers.
In other words, the EU GDPR sets a higher expectation for transparency and consumer consent than either the Data Protection Directive that came before it or the notice and choice standards regulated in the United States. The new standard ensures that consumers have enough information about how the data will be collected and how it will be used so that they can make well-informed and appropriate choices about the information they share with you.
Compliance will require demonstrably meeting transparency requirements without having to fumble together a million crazy Excel spreadsheets. So if you haven’t already, a great place to get started is to take stock of your data sets and data sources. Any data collected prior to May 2018 that doesn’t meet the new standards will become invalid.
So take a look at your data with the goal of being able to answer the following questions:
- How are you collecting data?
- How are you notifying consumers about your data collection practices?
- How are you using the data you collect?
- Are you getting consent for each use and, if so, by what means?
As you can see, the biggest impact of the EU GDPR is around the type of notice and the form of consent for any data collected. This is because the legal grounds for collection and using personal data will require a new level of permissions. As such, EU GDPR’s requirements—including that consent must be voluntarily provided, unambiguous, and not inferred from inaction—will mean that many data collection methods will need review and updating.
If your company doesn’t collect or use consumer data on its own, you should also plan to speak with your service providers and data suppliers about their EU GDPR plans. It’s important to discuss their EU GDPR preparations because they impact your compliance as well. You might consider including a privacy expert or lawyer to review any contracts to assist in determining whether the provisions adequately capture EU GDPR requirements.
And the same goes for any third-party providers. If they’re going to be placing cookies or collecting data from your site, then you may need to help provide notice about such data collection.
This can be solved by adding a pop-up or banner on your website notifying visitors about cookie placement, as many brands operating in the EU are already doing. A visitor should actively provide consent via an affirmative, prior, and non-ambiguous action. Now is a good time to establish what kind of notice you want to give site visitors, how that consent will be collected, how you will be able to provide technical proof of the consent, who it will be shown to, and how it will function on your site.
Next Steps for Your Data
Once you’ve met the EU GDPR requirements for the data you’ve collected on your customers, you’ll also have to provide subject access rights (“subject” being the term for people). Everyone, including brands, will need to provide consumers with access to data relating to them and the ability to delete, port (transfer to some other entity), or correct it.
Look into already-built software options (like OneTrust), or consider if building your own solution is right for your company.
Wherever you are in your journey to GDPR compliance, it’s important to consult with a lawyer to see how your company might be affected by it. For more information on GDPR, take a look at our resources page.