EU privacy legislation: GDPR tips for marketing agencies

The General Data Protection Regulation’s effective date has passed, and marketing agencies are still scrambling to ensure they’re in compliance with the EU privacy legislation. Here’s what marketing agencies should do to make sure they’re caught up on GDPR compliance.

GDPR deadline information

GDPR was designed by the EU to make sure the economic and political bloc’s citizens have control over their digital data. Industries that deal in data were rushing to comply with the privacy legislation up to the May 25 GDPR deadline – and probably past it as well. With Ma 25 having come and gone, businesses in the EU or businesses that deal with EU citizens’ data are now required to comply with the data regulation or face stiff fines for violations.

Polling and most reports indicate that many of the businesses that will be subjected to the EU privacy regulation are not yet prepared for its implementation. The Ponemon Institute in April surveyed 1,000 companies and found that half of them were not ready for GDPR. And Ponemon wasn’t alone in its discovery. Victor Janulaitis, CEO of Janco, explained his own company’s review determined many businesses are not prepared for the EU privacy legislation.

“We have reviewed the compliance plans of over 200 SMB enterprises and have found that 34 percent of the companies are not ready to meet the EU’s GDPR requirement,” he told Channel Partners Online around two months before the GDPR deadline. “Most say the GDPR requirements are very complex, not enough resources have been allocated and that many of the skills required to implement GDPR are in short supply. In any case, most feel they will comply by the latter half of 2018, well after the compliance deadline.”

Who does GDPR apply too?

First thing’s first: Yes, GDPR may affect your U.S.-based marketing agency. Your location has little to do with whether the EU privacy legislation applies to your business. Instead, the data regulation is built around consumers’ locations. However, there’s an important distinction to make here. If at the time you collect the data of an EU citizen, he or she is outside of the European bloc, then GDPR does not apply. The law only applies if the individual who owns the data in question is located within the EU at the time of data collection. Don’t worry, though. It gets more confusing from here.

You may think that in order for GDPR to apply a financial transaction must take place. However, that too is untrue. Money exchange is not a prerequisite for the EU privacy regulation. As long as an individual’s data or behavioral information has been collected by your agency, that individual’s data may be subject to GDPR depending on his or her location at the time.

GDPR personal data definition

So, what sort of data are we talking about? GDPR applies to two categories of data: personal data and sensitive personal data. The latter is technically a subsection of the former. Here’s what each category consists of:

europe privacy legislation gdpr

How do I comply with GDPR?

It’s important for all businesses that handle personal data that may be sourced to the EU to comply with GDPR. The data regulation includes large fines for businesses that violate privacy protections. Because of the risk, GDPR violations pose for businesses it’s important to ensure compliance with the EU privacy legislation. Here are a few tips to help your business adhere to GDPR:

Who are your customers?

The first thing to do is make sure you know who your customers are. If any of them are from the EU, or spend time in the EU, then there’s a chance your business is holding onto data regulated by GDRP.

Who is your IT team?

Marketing and IT may work closely, they may not: It really depends on your business. But with GDRP in effect, it’s important for your marketing and IT departments to get a little closer. After all, they’ll need to work hand-in-hand to ensure compliance with the EU privacy legislation. If you haven’t yet, get marketing and IT leaders together to come up with a plan for data privacy.

Develop written privacy policies

Your business will need written policies for both GDPR and privacy in general. Develop these policies and have members of your marketing, legal and IT teams review the copy. Once your privacy policies are finished, post them in a prominent place on your website. Try setting up a page dedicated to privacy information, and linking to it in your website header or footer.

Audit your existing data

All of your data may not be GDPR compliant. Especially if you’ve been holding onto some of it for a long time. With GDPR in effect, it’s time to audit your data if you haven’t done so already. The audit’s focus should be opt-in consent. Did individuals provide consent to your agency to use their information? If you have data that individuals did not consent to provide, you’ll have to delete it or ask the person to opt in. It could be helpful to run a new opt-in campaign for everyone whose data you’re storing.

Your audit should include a review of third-party vendors that have access to your databases. You’re responsible for ensuring those providers are also GDPR compliant.

Create a new opt-in policy

If you haven’t yet, craft new opt-in policies based on GDPR requirements. Ultimately, these will be part of your larger privacy policy. Having standardized opt-in procedures will ensure that your business never violates GDPR as you collect prospects’ data. With the new EU privacy legislation in place, it’s essential to have a standard opt-in process for all prospects.

EU privacy legislation coming to the U.S. soon?

With GDPR now effective in the EU, some people are wondering whether similar data regulations will come to the U.S. GDPR is certainly an opportunity for U.S. businesses to buck up their privacy policies ahead of similar legislation making landfall across the Atlantic. However, whether that happens is no guarantee. Currently, whether the U.S. adopts similar privacy legislation is speculative.

At the state level, a number of governments are making progress with their own data regulations. For example, Vermont lawmakers passed a rule that requires data brokers register with the government. And in California, an upcoming ballot would put similar requirements in place. However, opposition to EU-style privacy regulations remains. IBM recently came out against similar legislation in the U.S. And officials from the company are meeting with lawmakers to discuss the issue further.

While the future of data regulation in the U.S. is unknown, the EU’s approach to data privacy is now set in stone. And if your business serves individuals across the Atlantic, it’s time your company updated its data policy.