GDPR: What All Mar­keters Need to Know

Ru­mours around the Eu­ro­pean Union’s Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR) have turned into full-on rum­blings in re­cent months, as the new rules go into ef­fect in May. The EU reg­u­la­tion will af­fect how mar­keters across ev­ery busi­ness and in­dus­try in­ter

The Malta Business Weekly - - FRONT PAGE -

In prac­tice GDPR will shield con­sumers from the de­fault po­si­tion of hav­ing their personal data tracked across the in­ter­net. If an EU con­sumer wants their personal data to be ac­ces­si­ble for col­lec­tion and track­ing, they must take spe­cific steps to con­sent.

The de­tails mat­ter, so here’s an over­view of the reg­u­la­tion and its im­pli­ca­tions – note this is not le­gal ad­vice. As al­ways, we en­cour­age you to con­sult with your own le­gal coun­sel to fa­mil­iarise your­self with the requirements that gov­ern your spe­cific sit­u­a­tion. Deloitte and Sales­force are com­mit­ted to help­ing you re­main suc­cess­ful in this new en­vi­ron­ment, and be­lieve that un­der­stand­ing the ins and outs is the best place to start.

What is the GDPR (and what does it have to do with mar­ket­ing)?

GDPR stands for Gen­eral Data Pro­tec­tion Reg­u­la­tion. It reg­u­lates how com­pa­nies can col­lect, process, and use personal data from EU in­di­vid­u­als. It was adopted in 2016 and goes into ef­fect May 2018. For mar­keters, in par­tic­u­lar, the reg­u­la­tion im­pacts how you keep track of and com­mu­ni­cate with con­sumers.

Who does the GDPR ap­ply to?

While the GDPR ap­plies to com­pa­nies head­quar­tered in the EU, it also ap­plies to any busi­ness or or­gan­i­sa­tion pro­cess­ing the personal data of EU in­di­vid­u­als, re­gard­less of where they are head­quar­tered.

The con­se­quences for non­com­pli­ance are steep. Se­ri­ous in­frac­tions carry a fine of up to €20 mil­lion or 4% of a com­pany’s an­nual earn­ings, whichever is greater.

The EU is send­ing a clear mes­sage that it’s tak­ing a strong stance on data pro­tec­tion. For that rea­son, mar­keters need to be ready to com­ply.

How does the GDPR af­fect mar­ket­ing?

While, for now, the new law only af­fects brands lo­cated or do­ing busi­ness in the EU, all mar­keters should be aware of GDPR requirements for how com­pa­nies must col­lect, process, and delete con­sumer data.

Col­lect­ing data

A big push be­hind the GDPR is the de­sire for more trans­parency be­tween con­sumers and com­pa­nies when it comes to personal data. Con­sumers want to know when, how, and why their personal data is be­ing col­lected.

The GDPR re­quires com­pa­nies to in­form con­sumers of all the personal data col­lected about them and how it will be used. Com­pa­nies must also no­tify con­sumers that they may re­voke their per­mis­sion to col­lect and use that data at any time.

Since GDPR doesn’t recog­nise opt out con­sent as the de­fault, this means that when a new con­sumer opens an ac­count, makes a trans­ac­tion, or signs up for a news­let­ter, pre-check­ing a con­sent box to col­lect or use their data for any other rea­son will no longer cut it. Con­sumers must be given the op­por­tu­nity to de­cide whether to give con­sent (or opt-in) to any use of their data for com­mu­ni­ca­tions, track­ing, or any­thing else. This means mar­keters will need to come up with more creative tac­tics to en­cour­age con­sumers to opt in for things like prod­uct sug­ges­tions and com­mu­ni­ca­tions.

What about data that’s al­ready been col­lected?

These rules ap­ply to data col­lected not only af­ter the reg­u­la­tion goes into ef­fect, but also to data col­lected be­fore, as well. Un­less mar­keters have been fol­low­ing prac­tices that would meet GDPR stan­dards all along, they must ob­tain opt-in con­sent from con­sumers or dis­con­tinue use of the data they’ve col­lected.

Pro­cess­ing data

Once you have ob­tained con­sent to use a con­sumer’s data, the im­por­tant thing to re­mem­ber is to use it only for that rea­son. If you want to use it for another rea­son or to share it with another party, you must ob­tain sep­a­rate per­mis­sion from the con­sumer to do so. For ex­am­ple, if a con­sumer opted in to re­ceive prod­uct of­fers via email and now you’d like to track their ac­tiv­ity across your web­site as well, you’ll have to ob­tain sep­a­rate con­sent to do so.

The other im­por­tant part of the GDPR that per­tains to us­ing data is the safe and se­cure stor­age of it. This en­com­passes many def­i­ni­tions of “safe and se­cure,” in­clud­ing: • Stor­ing it in a way that it can­not

be stolen, lost, or al­tered. • En­crypt­ing it dur­ing tran­sit to pre­vent it from be­ing ac­cessed by unau­tho­rised peo­ple or sys­tems. If you al­ready use Sales­force Mar­ket­ing Cloud, you don’t need to worry about this. • En­sure that only the peo­ple – mar­keters, for ex­am­ple – who need to ac­cess it for the spec­i­fied pur­pose are able to do so. Sales­force Mar­ket­ing Cloud al­ready seg­re­gates data at the ac­count level, so that only prop­erly des- ig­nated peo­ple can ac­cess it. The GDPR stresses that pro­tec­tion is es­pe­cially crit­i­cal for bio­met­ric data – for ex­am­ple, a fin­ger­print that can be used to un­lock a phone – or data about chil­dren.

Delet­ing data

Fi­nally, the GDPR gov­erns how com­pa­nies re­lin­quish data once their re­la­tion­ships with con­sumers have ended. To pro­tect con­sumers’ “Right to Era­sure,” com­pa­nies must now have a plan in place for delet­ing data. As men­tioned above, the GDPR says that com­pa­nies may only use personal data with clear con­sent by the con­sumer and for a spec­i­fied pur­pose. Once that pur­pose has been ful­filled, a com­pany must jus­tify any rea­son for con­tin­u­ing to hold onto personal data.

If at any time, a con­sumer re­quests their personal data be deleted by a com­pany, the com­pany must re­spond within thirty days (keep­ing in mind the right to dele­tion is not ab­so­lute un­der the GDPR). Sim­i­larly, if a per­son re­quests a cor­rec­tion or up­dates to their personal in­for­ma­tion, the com­pany must re­spond to that re­quest within 30 days.

Re­defin­ing the re­la­tion­ship be­tween con­sumers and brands

The GDPR is all about trans­parency and pro­tect­ing the rights of con­sumers. Com­pa­nies that do busi­ness in the EU can pro­tect them­selves by fol­low­ing GDPR requirements and keep­ing de­tailed records to demon­strate their com­pli­ance.

At the end of the day, the GDPR clar­i­fies the re­la­tion­ship be­tween con­sumers and brands, en­cour­ages trans­parency, and pro­tects the rights of EU in­di­vid­u­als. Brands that com­ply — and many al­ready have prac­tices in place that do so — can ben­e­fit from a more trust­ing and open re­la­tion­ship with the peo­ple they de­pend on. For more in­for­ma­tion, please visit www.deloitte.com/mt/gdpr or www.deloitte.com/mt/sales­force

Newspapers in English

Newspapers from Malta

© PressReader. All rights reserved.