Your Business, Digital Marketing & The GDPR

If you are subscribed to any online service you have most likely received at least one email or notification about updates to privacy and data policies relating to the GDPR. Depending on your level of interest you may not even know what the acronym means and why you should be taking it pretty seriously. To this end, we have laid out a few points to understand and consider when it comes to digital marketing and the use of data related systems and services

What is the GDPR:

The GDPR (General Data Protection Regulations) is Europe’s new framework for data protection laws. It aims to “harmonise” data privacy laws across Europe as well as to give greater protection and rights to individuals within the EU.

It will require companies covered by the GDPR to be more accountable for their handling of people’s personal information by having data protection policies, data protection impact assessments and relevant documents on how data is processed. Bigger companies may be required to have documentation of why people’s information is being collected and processed, how long it is being kept for and for some companies the appointment of a data protection officer will be mandatory.

Consumers worldwide have become tired of unsolicited messaging and, moreover, they have become aware of just how much data about them exists online. If you are surprised by this then, well, we are pretty surprised you are surprised. How many times have you received unsolicited emails, SMS’s or targeted ads online?

Whilst this is not a new problem or a Europe specific situation, the GDPR represents one of the biggest steps forward in providing a solution and creating consequence for companies that do not respect a user’s data and privacy rights. This helps us understand that data has value and therefore, owners of the data have rights and user of the data have responsibilities.

But we are not in Europe so why worry.

It’s a good and valid point, one which the EU knew you would have and to which they have applied the following (emphasis my own):

Article 3 GDPR: Territorial Scope:

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
3. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
4. the monitoring of their behaviour as far as their behaviour takes place within the Union.
5. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Art. 3 GDPR - Territorial scope | General Data Protection Regulation (GDPR)

Caitlin Gottschalk, a Professional Advisor at Blank Ink Advisory, broke down the meaning of this for us:

It is important to understand that it is irrelevant whether a company has an establishment or office in the EU or whether the data-processing activities take place in the EU, the GDPR will apply if any of the factors below are present:

• offering goods or services to EU citizens, irrespective of whether any payment is received;
• processing or holding information on EU citizens;
• monitoring the behaviour of EU citizens.

The application is not limited to companies that have a legal entity in the EU, as explained above, but rather it applies to any company with permanent and stable business activities in the EU.

This means that companies with a representative in the EU, companies that have a specific website directed at an EU country or companies with a local EU postal address or bank account could be included.

Read more on this and the legal basis and considerations of the GDPR here.

You can also read the regulation notes here: https://www.eugdpr.org/the-regulation.html

Consequences of non-compliance and continued abuse.

As already explained, the GDPR is not a new concept but rather a framework that now provides for consequence of abuse. If you have any doubt that this is enforceable then please consider this:

“Within the first day of being enacted Google and Facebook received fines of up to $9,3 billion dollars!”

The GDPR makes provision for any violating company to receive fines of up to 20 million euros or 4% of annual global turnover. Whilst you may believe that this will only apply to larger or foreign businesses it is important to know that the GDPR regulators have made it clear that they will be stringent in their prosecution, regardless of companies size or location.

So you see, depending on your business’s interaction in the digital space and internationally, there could be a significant risk to your business.

If you are looking to automate a lot of the Cookie and Policy management aspects of your site try Cookie Pro

But we don’t use people’s data?

Are you sure?

Consider this:

• Do you use social media for your business?
• Do you use social advertising for your business (Facebook ads or similar)?
• Do you use advertising systems like AdWords?
• Does your site use Google Analytics?
• Do you use email and/or automated marketing systems?
• Do you keep your sales data such as customers and leads (even physical records)?
• Are any users accessing your site and providing you with information from within the European Union?

If you said no, then great. Somehow you are running a business independently of technology. But if you answered yes to any of the above then you are potentially engaging with user data which means you are already at risk.

At this point, I need to digress slightly to provide you with an understanding of the two distinct positions of data entities. A business will most likely primarily be a data controller and occasionally a data processor.

The controller is the actual entity that needs the collected data and makes decisions around the purpose and means of collecting the personal data. A controller knows which data it needs, why it needs it and how they want it collected.

A processor, on the other hand, is an entity that handles the processing of user data on behalf of a controller. The processor would be responsible for the collection, storage, and structuring of data for the use of the controller. Examples of processors you may be using already could include Google Analytics, AdWords and Social Media platforms.

Google and other tech data giants are aggressively pursuing elements in the GDPR that push compliance onto the data controller (you) while protecting themselves where possible. It’s not really a surprise if we are honest, as the largest data processors they have the most to lose and aspects of their system architectures may be dependent on functions that would otherwise become non-compliant.

Google recently published the following:

The new GDPR terms supplement your contract with Google and will come into force on 25 May 2018.

• For AdWords customers globally, our GDPR terms are incorporated into the terms of service, which (if you’ve not done so already) you can accept in your account. In the case of AdWords Customer Match and Store Sales Direct, Google acts as a processor; for the rest of AdWords we act as a controller.
• For customers using DoubleClick and the Google Analytics (GA) Suite, processor terms are available for you to review and accept from within your account. If you are an EEA client of GA, data processing terms will be included in your terms shortly. GA customers based outside EEA and all GA 360 customers may accept the terms from within GA.
• If you don’t contract with Google for your use of Google products, you should seek advice from the parties with whom you contract.

Product changes To comply, and support your compliance with GDPR, we are:

• Making some changes across the network of publisher sites on which your ads may appear — enabling publishers to show non-personalised ads and to select which third parties measure and serve ads for EEA users on their sites and apps.
• Taking steps to limit the processing of personal information for children under the GDPR Age of Consent in individual member states.
• Unifying our ads data retention practices; and launching new controls for Google Analytics customers to manage the retention and deletion of their data.
• Exploring consent solutions for publishers, including working with industry groups like IAB Europe.

You may have noticed that they have pushed their changes onto you and, if you continue to use the Google systems, you are liable for the protection of the data. They also note that the updated terms will also be applied to customers (your business) outside of the EU.

“you can accept in your account” — in reality, much like the majority of online services we all use these days, not accepting just means no access. In consideration of this, it may not be a case of if you need to be compliant but rather how soon you need to be.

Still not convinced?

If you feel that you still don’t need to worry about this then we wish you luck. However, if there is any doubt, you should at least consider getting an informed legal opinion on the matter. You need to make decisions that you feel are best for your business and knowledge really is power.

Until you are able to get a proper opinion there are some basic steps you can take that are easy to execute and low cost:

1. Check if your site is using google analytics. You can inspect the code or install the Google Tag assistant in Chrome (link).
2. Check if you are using social media to market your business.
3. You can access the data in these systems to view aggregate user location information and with this, you can begin to understand if you have low or high numbers of European users.

If your company is efficient in one of the above tracking systems there is a great probability that you have some more advanced data sets you can reference for even greater detail. Just ask your teams working in Search Engine Optimisation, Website Management, Social Media Marketing or Business Analysis.

Takeouts:

1. The GDPR is not just for Europe! If you process data of European citizens you must be compliant.
2. If you are using any social media or digital marketing systems, you need to consider the very basics of online compliance. You don’t need full legal compliance but you should at least engage the basics.
3. It’s not new but now it’s serious. The GDPR does not really put forth anything we have never heard of before but rather standardizes regulations, sets out compliance and creates a consequence.
4. Don’t go mad but do go honest. Give users some basic access to the data you are storing on them and provide them with easy to use opt-in and opt-out processes.

Summary:

The GDPR represents the continuous progression of business online. It was never in question if a regulation such as this would come into existence so much as when. Businesses have, to their own detriment, abused the data of consumers and, in many instances, put their users at risk.

The GDPR is not an attack on business but rather a means of regulating when, how and why data is collected and used. As a business, you may want to pull your hair out but as a consumer, you most likely have already come into contact with data abuse in your own capacity.

Your business will not suddenly cease to exist online. You need to simply understand where you need to be compliant and apply these processes.

*All materials have been prepared for general information purposes only to permit you to learn more about the subject, our services and amount to no more than opinion. The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice.

Originally published at Media Rocket | Simple | Intelligent | Online.