Wondering how GDPR affects your marketing?
In this article, you’ll find a plain-language overview of GDPR, how it could impact your data collection, and what you need to do to make sure you’re compliant before May 25, 2018.
The General Data Protection Regulation (GDPR) is a European Union (EU) law taking effect on May 25, 2018. GDPR is designed to give greater protection to an individual’s personal information and how it’s collected, stored, and used. There are strict requirements placed on companies that possess the personal data of people located in the EU.
After May 25, 2018, organizations that aren’t in compliance with GDPR’s requirements could face large fines (up to 4% of a company’s annual global turnover or €20 million), which vary based on the severity of the infraction.
When Does GDPR Apply?
A financial transaction isn’t necessary for the GDPR to apply. A non-EU-based business must comply with the GDPR if it collects or processes personal data of any EU resident (EU citizenship is not required).
Under GDPR, personal data is defined as information that can be used to identify someone, directly or indirectly. This includes IP address, cookies, location data, name, and email address.
GDPR may require significant changes in how a company discloses and obtains consent to collect personal data.
If you’re collecting personal data from an EU resident, you must obtain explicit consent, which generally means that consent should be:
More specifically, for consent to meet GDPR standards, it must:
When the processing of personal data has multiple purposes, individuals must be informed of each purpose and allowed to consent or decline each purpose separately. Additional requirements apply when obtaining consent from children. Entities must also keep records of consent obtained from data subjects.
Strict Privacy by Default
Strict privacy settings should be the default setting. A user shouldn’t have to go into their settings to make manual changes to opt into stricter settings.
Rights to Data
Under GDPR, individuals have greater control over how their personal information is collected, stored, and used. Individuals have a right to access their data, which means the right to know where, why, and how their data is processed. This includes the right to request a report to access their data. Additionally, individuals have a right to be forgotten, which means their data can be deleted.
Organizations have a duty to report certain types of data breaches to the relevant supervisory authority within 72 hours, unless the breach is harmless and poses no risk to the individual. If a breach is concluded to be high risk, the company must also inform the individuals impacted.
Appointment of Data Protection Officer
Information of Children
Under GDPR, a company may not collect personal data of anyone under 16 without parental consent. Implement a process to verify age and to obtain parental consent when necessary.
Takeaway: Under GDPR, companies must ensure that they have clear policies in place to maintain compliance.
For many social media marketers, there are many questions about whether compliance is necessary for companies outside of the EU. However, non-EU companies must comply with GDPR if: 1) they collect or process personal data of any EU resident, or 2) the company’s activities relate to offering goods or services to EU citizens, regardless of whether payment is required.
This compliance is mandated for any EU resident, regardless of EU citizenship. Even an American citizen who’s only temporarily located in the EU is protected by GDPR.
Remember that a financial transaction isn’t necessary for the GDPR to apply. Any non-EU-based business must comply with the GDPR if it collects or processes personal data.
Takeaway: All companies must obtain explicit consent from the data subject, including non-EU companies. Simply being located outside of the EU doesn’t relieve a company of compliance.
Audit and Implement GDPR Compliance Strategy
First, conduct an audit of your website.
Obtain Explicit Consent
Takeaway: The goal of your GDPR strategy will first help you determine what personal information you collect and then put new procedures into place to ensure compliance.
Retargeting Ads and Tracking Pixels
If your website uses remarketing ads, including the Facebook pixel, inform website visitors of this immediately when they enter your site and obtain informed consent.
If you publish sponsored content, ask your client if they use tracking pixels or cookies and why. If the company uses pixels or cookies to capture personal information or to remarket to your audience, you must get consent from visitors immediately when they enter your site.
On the subscription form, have a checkbox for the visitor to consent to everything they’re about to subscribe to. If your newsletter uses tracking pixels to see when they open it, put a visible disclaimer before they subscribe. Verify if your email service provider offers GDPR tools.
If you use affiliate links, you need to get consent for cookie usage. You can gain consent on an individual post or as an overlay. Consent must come before the visitor clicks the affiliate link because a cookie will be placed on their browser to track sales activity.
Before users submit their information in a contact form, get their explicit consent with a checkbox.
Before users can leave a comment, get consent by using a checkbox and disclose that your site will store their comments and, as needed, information relating to the comment such as the date and computer’s IP address. Let them know how the information is used. Also, include a reminder that some information may be displayed publicly, such as name or URL, if they’re submitted with the comment.
Takeaway: Ensure that you obtain consent for each purpose of the data collection (e.g., one checkbox may say that they authorize being added to your mailing list and another consent to having personal data stored for communication about purchases).
Remember, if you aren’t sure about what type of data a plugin or marketing tool collects, investigate it with the developer to ensure that you’re not using non-compliant tools.
If you’re looking for tools to help you manage GDPR compliance, here are a few WordPress plugin options:
Ready or not, GDPR is coming and you need to be compliant by May 25, 2018. Even if you’re a non-EU company, GDPR is likely going to impact your social media marketing business; however, by following a few simple steps, you can ensure your compliance.
What do you think? What steps have you taken to make your business GDPR-compliant? Please share your thoughts in the comments below.
The world is going online. With the new infrastructural developments taking place globally, more and more businesses are opting to… Read More
Google Ads is bringing its Merchant Promotions program to Shopping Actions for retailers. This integration allows online retailers to add… Read More
The top AMP plugin for WordPress, AMP for WP, has released a released a patch for a critical security vulnerability.… Read More
A well-orchestrated PPC campaign can benefit a good SEO campaign, as Sergey Grybniak explores in How to Combine SEO &… Read More
Social Media Marketing Industry Report In our 10th annual social media study (44 pages, 70+ charts) of 5700+ marketers, you'll… Read More
Recently, our firm took over the digital marketing efforts for a small company. Their previous digital marketing efforts were led… Read More