The General Data Protection Regulation, or GDPR, is an EU initiative that has been mutually agreed to by the European Commission, the Council of the European Union and the European Parliament. The primary purpose of the GDPR is to help ensure the security of data flowing through EU channels by unifying all other data protection measures under a single umbrella.
Marketing professionals who engage with prospects and customers in the European Union (EU), particularly with email campaigns are paying special attention to GDPR right now, as the new regulation requires a thorough review of your e-marketing business policies and practices.
GDPR was adopted to replace Directive 95/46/EC of 1995, a measure that most technical experts agree is outdated. Agreed to on April 27, 2016, GDPR becomes law of the land on May 25, 2018. Because the GDPR was approved by all three major governing bodies of the European Union, it does not require the validation of any national government in order to become law. It also extends its scope to include any country outside of the EU that processes any data from EU residents or companies.
The problem of spam email and existing regulations.
Directive 95/46/EC did not cover the scope of business within the EU as technology expanded. There were no easily enforceable penalties for countries outside of the EU that used spam mail as a marketing tactic. Existing regulations were full of too many loopholes – it was far too simple to hide the origin of a questionable data query or malicious form of outreach. Although the EU as a whole may have had control of resources to reduce these problems, there was no binding law as to how the EU would use those resources.
Many companies within the EU that based operations around the EU as a whole, were left completely unprotected. The regulations of individual member states were not always up to par, and some EU member states had no regulation at all. For the most part, even if regulations were in place, most EU member states did not have the personnel or the budget to enforce them. The overall result? EU companies felt (and were, for the most part) unprotected from outside espionage and even underhanded competitive techniques from member state businesses.
Who is impacted by GDPR?
Upon enactment, the GDPR affects every organization and business that was founded inside of the European Union. However, the measure also affects any company that wants to do business with any consumer that is a citizen of an EU country.
If a business was founded within the EU, it does not matter if that company’s data processing is done inside of the EU. The language of the GDPR maintains jurisdiction over these businesses and acts as if their data was processed inside of the Union.
Why should I care (or consequences/what happens if I’m not compliant?)
The maximum penalties for serious breaches to the GDPR are quite massive. They can reach the greater number of 4% of annual turnover (in the US, turnover is global revenue) or a set fine of €20 million (nearly $25 million US). Fines are set on a case by case basis, and multiple infractions of a single action may be counted as separate instances for the purposes of applying penalties. This means that one email blast that is out of compliance and sent to 10,000 EU businesses may count as 10,000 infractions under the auspices of the GDPR.
The most serious offenses are an inability to produce proof of customer consent upon a legal audit or violation of the core principles of Privacy by Design.
If a company is unable to comply with the rules of record keeping, that company may be fined up to 2% of its annual turnover under Article 28. If a breach is mistakenly produced by a company and it does not perform a timely assessment of impact or inform a supervising authority, the fine may also be up to 2% of annual turnover.
Clouds are not exempt from any of the penalties that are mentioned above. They apply to both processors and controllers alike.
Companies inside of the EU are obviously easy for the EU to punish or sanction, but businesses outside of the EU have a more legitimate question here. How exactly can the EU punish a company from the US, Japan, or Russia that tries to disobey or work around the GDPR?
International law plays a huge part in authenticating the authority of the GDPR. If a foreign company has a physical presence within the EU, then penalties may be physically enforced within those boundaries. For companies without a presence in the EU, the GDPR requires a “representative” as part of its new initiatives. The representative works on your behalf, as the local liaison with the data subjects and the supervisory authorities in the EU countries where you conduct business. There’s speculation that the role of “representative” for GDPR is so critical that is may drive a new job sector: representatives of non-EU companies.
EU courts will have the majority of discretion in determining if a foreign country is doing business in the EU and if their data collection efforts fall under the auspices of the GDPR. The courts may forgive certain infringements of the GDPR by a foreign country if the collection is found to be just occasional or accidental. However, the final decision will be left completely up to the member state in which the infraction takes place. Countries like Germany have already implied they will be much less lenient when it comes to imposing penalties on foreign companies.
Countries that have mutual agreements with the EU may find themselves facing domestic regulators if they dare to infringe upon the GDPR. For instance, the purpose of the EU-US Privacy Shield data sharing agreement coincides with the underlying concepts of the GDPR. Because this is considered an important agreement by both entities, any US company that is found to be in violation of the GDPR will likely find itself confronted by US regulators as well as by EU courts.
Are there some notable examples of other anti-spam laws and the consequences (like Canada)?
The GDPR models itself somewhat after Canada’s Anti-Spam law. Canada faced many of the same problems as the EU before invoking its new legislation – many Canadian companies felt completely unprotected from outside espionage, and Canadian consumers were being bombarded with spam email from foreign companies with no recourse or respect for their individual privacy.
The Canada Anti-Spam law invoked severe penalties on any Canadian company that was found to be involved in underhanded customer acquisition or other outreach techniques. However, the most important part of the law was that it was the first of its kind to extend a digital reach to companies outside of its immediate jurisdiction.
Canada used the leverage of its consumer and producer class and its international agreements to coerce other countries to help it enforce the Canada Anti-Spam Act on businesses that were not formed within the borders of Canada. The result was highly successful. Canadian companies and consumers began to enjoy a much less pressured digital environment, and companies that were trying to do business with Canadian citizens and companies were forced to change their marketing tactics.
What changes will you need to make because of GDPR (or what do you have to do differently)? [Record keeping, consent, etc.]
The average company will be responsible for fairly sweeping changes in the way they conduct customer engagement and acquisition campaigns. GDPR requirements are much stricter in terms of obtaining consent to be contacted for business purposes. Additionally, a prospect has official rights under the GDPR to withdraw consent at virtually any point in time.
Companies must also collect a number of different consents from prospects in order to engage in previously connected information grabs, acquisition outreach activities and ongoing communication efforts. In most cases, companies will be guilty until proven innocent when it comes to proving that they have permissions to engage prospects.
Simply adding a small text disclaimer to a newsletter is no longer suitable for permission, by the way, nor is simply providing a semi-hidden opt-out option. There are other changes that are contained in the new measures, but dealing with these alone will change how most companies do business within the EU quite significantly.
For instance, companies will be required to review their current business practices. The most important aspects of the new regulations demanding compliance include adherence to email marketing best practices and double opt-in rules. In order for a prospect to legally receive ongoing communications, he or she will be required to either click a box or fill out a form, then state their action again in a future email.
If a company holds data of any sort that can be used as a personal identifier, that company must prove consent from the prospect to receive that information. In order to legally hold data, the company must time stamp receipt of the information and report all information on the opt-in, as well.
Companies may still purchase third party marketing lists. However, this information is now worthless unless the company receives consent to communicate with each individual on that list. The buyer of the list is held responsible for all breaches of GDPR contract even if that company outsourced data gathering to a third party.
No longer will companies simply be able to add new contacts to a mailing list from trade shows or industry conferences. Just because a person gives a company representative a business card does not mean that company has the right to contact that representative digitally. New methods of information gathering are creating efficient avenues for information exchanges under the GDPR, but most of them remain untested.
Are there any exemptions (like previously acquired consent)?
In order to understand the true implications of the GDPR, it may be more salient to determine the rules that allow for NO exemptions. Regardless of any loopholes that companies may eventually find, the rules with no exemptions will certainly be the bottleneck for any future marketing efforts.
The first no exemption rule is the “right to object.” The right to object substantiates the power of the individual being contacted to stop their data being processed for direct marketing purposes. A company must stop processing a prospect’s data immediately upon receipt of any request from the prospect to do so. Additionally, companies are responsible for communicating this right to prospects at the beginning of any communication effort.
There are no exemptions or protections from punishment for companies who receive information from an outside party. Each company is fully responsible for gathering legal consent for every action that it takes. Outsourcing any aspect of data gathering or outreach does not exempt a company from any liability whatsoever.
Exemptions can be introduced to the GDPR by member states. Exemptions can only be introduced if they do not infringe upon the basic rights that are set forth in the underlying framework of the GDPR. No exemption may be introduced that infringes on national or public security, defense efforts, any prosecution or prevention of criminal acts, causes a breach of ethics, limits the ability of law enforcement to monitor or inspect regulatory functions or any security or public interest, or cause danger to any judicial proceeding.
Member states are allowed to introduce exemptions that relate to the following processing activities:
- Freedom of information or freedom of expression
- Religious rights, churches or associations
- Employee data processing
- National ID numbers
- Official access to public documents
- Obligations of secrecy
- Archiving for scientific or historical purposes
Where can I learn more?
The official website of the GDPR features a countdown clock of exactly when the GDPR will be enforced. It also contains a navigation bar of salient topics concerning the GDPR. These topics include the following:
- An introductory FAQ to the GDPR
- Key changes that companies can expect
- The most controversial topics that the GDPR has encouraged so far
- Summaries of articles that are relevant to the GDPR
- A timeline of the GDPR
- A chronicle of how the regulation came to be
- A list of secondary resources about the GDPR
- A list of partners who are involved in the administration of the GDPR
In short, the GDPR will affect the world economy in many different ways. It will also serve as a guidepost for other digital agreements that may come from emerging economies and First World nations who are looking to protect their citizenry and the viability of their companies.
How do you see the impact of GDPR on your B2B marketing efforts to break into new markets and grow your customer base? We’d love to hear from you.