G-D-P-R You Kidding Me?

Ben Plum

What Digital Marketers Need to Know About the New EU Regulations

GDPR stands for General Data Protection Regulation and is a piece of European legislation that dictates how user data should be handled by companies and organizations in the EU. If you are a digital marketer based in the US, try not to tune the news out as there is a good chance it will impact your work. The regulations state that anyone ‘processing the personal data’ of any person living in the EU will need to comply or face legal and financial action.

Quick note: While we hope this overview gives you a sense of how you might be impacted, be sure to seek legal advice if you have specific questions about how the GDPR applies to you.

Data, Data, Everywhere

The GDPR mandates that an organization’s practices and policies must give users control over how their data is collected and ultimately used. This includes sending notifications in the event of a data breach (or hack), the user’s right to their data and for that data to be deleted, and a proactive stance on privacy and security. Specifically, the new regulations cover the following areas:

  • Breach notification – In the event of a data breach, or hack, site owners are obligated to alert anyone affected within 72 hours.
  • Right to Access – Site owners must provide a copy of any data collected on a user if requested.
  • Right to be forgotten – Site owners must delete any personal data collected on a user if requested by the user.
  • Data portability – Site owners must provide any personal data collected in a common format, like .csv or .txt files.
  • Privacy by design – Privacy must be considered and built into a system from the start, not simply tacked on as an afterthought.
  • Data protection officers – Companies that process large amounts of data must have a staff member or contractor whose main focus is managing user data.

At first glance, the GDPR regulations may seem overly restrictive or disruptive to marketing efforts, but take a moment to stop and consider how you would like your personal information to be handled. The GDPR simply ensures anyone handling user data does so in a responsible and respectful manner. After the dust finally settles, we may even see a reduction in the use of dark patterns and a better web for everyone – even digital marketers.

Compliance and Penalties

What ‘compliance’ means will really depend on how a site is built, what third party tools are utilized, and how data is managed. For example, a typical WordPress site might collect user data through online registrations, comment areas, contact forms, checkout flows, usage analytics, digital advertising, or security tools. To help facilitate the more technical aspects of the GDPR, WordPress has recently added new GDPR compliance tools and many plugins are updating to piggyback on this system. (There are also a variety of plugins that can assist with GDPR compliance in other ways).

Failure to comply with the GDPR can result in hefty fees, as well as more indirect problems such as reputational damage, requiring a potentially larger investment to recover your brand equity. Facebook has already taken some heat for how they handled the GDPR opt-in, while others simply shut down all activities in the EU due to the cost of compliance.

The Times, They Are A Changin’

Going forward, a general rule of thumb should be to only collect data you plan on using. State in plain terms what types of data you are collecting and how it will be used. This may mean updating your privacy policy or modifying forms so that any additional data uses, like subscribing to a newsletter when completing a purchase, are clearly defined for the user and require active consent.

The GDPR ultimately comes down to being respectful and protective of user’s personal data. Use this as an opportunity to show you deserve your user’s trust – it will go a long way towards creating a deeper connection with your brand.