A seismic shift in data-driven marketing is about to take place in Europe, sending a ripple effect across the globe. On May 25th, the General Data Protection Regulation (GDPR) is set to take effect and will reshape how organizations handle data privacy, even those headquartered outside of the European Union. With the deadline looming near, American-based global companies are scrambling to be GDPR compliant. Those that fail could face steep penalties up to €20 million or 4% of a company’s global revenue, depending on whichever is larger.
Despite the consequences, Gartner predicts that by the end of 2018, over 50% of companies affected by GDPR will not be in full compliance. This is troubling, as failure to abide by the regulation could also result in severe reputational damage, amongst other penalties. The breadth of GDPR is wide, shaping how global companies handle personal data for years to come. For any organization that interacts with European consumers, from small e-commerce startups to established global entities, this regulation cannot be ignored.
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation put in place by the European Commission to improve data protection for individuals within the European Union. It will complement existing data protection laws within the EU, replacing 1995’s Data Protection Directive (DPD)—enacted before the escalation of the digital economy.
Under GDPR, companies must observe a strict set of provisions regarding why and how they collect data. A few key regulation rules include:
- 72-hour Data Breach Window: Article 33 of the GDPR states that organizations must alert all European data providers of a data breach within 72 hours.
- The Right to Be Forgotten: Article 17 enables individuals to request the deletion or removal of personal data from an organization.
- The Right to Data Portability: Article 20 allows individuals to obtain their personal data from an organization at any time.
- Data Collection of Children under 16: Article 8 asserts the processing of personal data of a child under 16 years old is unlawful without expressed parental consent.
- Conditions for Consent: Article 7 avows that all personal data a company collects must be given freely by an individual and not obtained in any other way.
- Clear Privacy Transparency: Article 12 states that organizations must provide concise, transparent information about how personal data collected online is utilized.
What Quantifies as Personal Data?
Personal data refers to any direct or indirect information relating to an identified natural person. Examples of personal data under GDPR include:
- Email Address
- IP Address
- Device ID
How Will GDPR Affect My Business Efforts?
While GDPR directly relates to how European personal data is handled, the effects are likely to reach across the Atlantic. Research from Altimeter reports that 30% of U.S. Internet users are concerned about “companies collecting and sharing data.” Some believe it is only a matter of time before a similar regulation is authorized in the United States.
“GDPR is the single most significant regulation of digital advertising ever,” says Doug McPherson, Chief Administrative Officer at OpenX. Even if your business does not have an office in Europe, if you are serving digital advertising to EU citizens, you must be GDPR compliant.
Source: Shell Global
Digital advertising has long relied on ad personalization and contextualization through cookies. Under GDPR, organizations will have to secure consent before targeting European individuals. This has already started to roll out across many websites as they feature a cookie agreement notification pop-up as a soft opt-in, detailing how the company will use your personal cookie data in exchange for website use. This sort of initial notification provides brand transparency to any potential visitor.
The unveiling of GDPR compliance opens the door to new role managing organizational data protection. A data protection officer (DPO) is a mandatory role under Article 37 of GDPR for all companies that collect and process EU citizens’ personal data. A DPO could be a newly created position, a new responsibility for a current employee or even an external digital consultant.
GDPR may require large-scale corporate change from within. As privacy becomes the default, companies will be obligated to design website pages with data privacy at the forefront. So-called “Privacy by Design” in accompaniment with the DPO position could result in major internal transformation. Change management consultancies can help enable internal operational transformation for companies driving toward and maintaining GDPR compliance.
Opportunities After Regulation
There is no question that GDPR will considerably disrupt organizations reliant on data collection. However, this regulation should not simply be treated like another compliance task corporations are forced to observe. While compliance should be the immediate priority for global businesses operating in the United States, GDPR will prove transformative for digital experiences years after its enforcement.
GDPR compliancy presents a significant opportunity to build customer trust and relationships. Returning personal data control back to the customers will not only improve the quality of data collected, but also strengthen brand loyalty. Privacy is a top concern for many consumers worldwide and businesses that take data protection to heart will likely be rewarded with brand loyalists— increasing profitability.
Customer-controlled data also offers the opportunity for increased engagement, which could potentially lead to new products and services. Spotify is a shining example of a company utilizing data for higher customer satisfaction and engagement. The music streaming giant launched Spotify Insights in 2015, giving listeners a look into the analytics behind their favorite music while allowing artists access to data to help them better target fans. The results have allowed Spotify to create more personalized playlists for subscribers, like Discover Weekly & Your Daily Mix, while increasing listening diversity through data-driven algorithms.
Organizing for Compliance
Global organizations in the United States and beyond should already be strategizing, and even implementing, tactics to comply with GDPR. While the preparation for initial compliance may be internally taxing, meeting every measure of the regulation is necessary. It is likely that GDPR is the beginning of a new normal concerning data privacy. And if history proves correct, when a business puts the customer first, everyone wins. The authors of GDPR hope to do just that.