It is a marketer’s worst nightmare … a penalty of 20 million Euros or 4% of global turnover for breach of data with a data processor that is a supplier. Or even worse for not properly capturing consent across an enterprise and accidentally emailing a customer when they opted out of one marketing tactic and that supporting vendor did not communicate this information to the rest of the email vendors that support the enterprise. We all have to follow rules but how do you apply rules across multiple marketing systems that are emailing and capturing consent? The challenge is in large enterprises that have multiple vendors on the front end emailing and capturing consent through websites and registrations – how does the consent get managed? The question becomes: How do we keep track of our customers’ data and consent and communicate this effectively throughout enterprise support vendors?
What is GDPR?
The European Union General Data Protection Regulation (GDPR) is making headlines because it is the most significant data privacy regulation in the last 20 years. The GDPR places new obligations on any business that handles the data of EU citizens, no matter where the business is located.
From Wikipedia, “General Data Protection Regulation (GDPR) is a Regulation by which the European Parliament, the Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU.”
On May 25, 2018, the General Data Protection Regulation (GDPR) will come into force and this means that for the first time Europe will have a harmonized data protection regime that impacts not only companies based in the EU but also those companies that want to do business within Europe.
The main intent of the regulation tightens the requirements around when enterprise brands can use data. Good bye to the days of a simple click opt-in / out boxes … For example, companies will no longer be able to bundle data consent in with their terms of service or provide an opt-out box. Instead companies will have to get specific and unambiguous consent. This means that the consumer will have to fully understand the consent and where the data will be stored, processed, etc.
Organizations will need to be able to demonstrate their data processing activities and show that they are acting lawfully. The consequences are also getting stricter and the penalty fine has increased to €20m or 4% of global turnover.
What’s new with GDPR?
1.) Consent: for processing of data will need be explicit. The days of implied consent and of “opt-out” consent will soon be gone and it will need to be explicit and clear to the data subject. Data processes will need to be clearer to data subject including how their data is processed and what they can do about removing consent.
2.) Erasure / Revoke / Right to be forgotten: There will be a statutory right to be forgotten so a data subject can have their personal data deleted. This personal data will have to be deleted and communicated to all data processors that handle this customer’s data. Systems will need to start to communicate which customer has ‘revoked’ their information from your enterprise.
3.) Data processors: Strict rules will be introduced for data processors and companies that process data for other organizations. They will need to be communicating with other data processors that support the organization on consent capture, revoke, opt in and opt out, etc.
4.) Data Protection Officer: Large organizations will specifically need to hire a person to be in charge of the enterprise’s regulatory compliance.
5.) Data breaches: will need to be reported to a legal body and in some circumstances there is a requirement to also report them to the data subject too. Fines will be up to 4% of global turnover for data protection breaches!
Important terms that get confused:
All too often in meetings words get thrown around without a clear understanding of how to build a system that can truly capture the GDPR requirements. Consent is key at an enterprise level and setting up a consent management system.
- Consent: The all mighty authority. This is binding. This is truly capturing legal authority to give permission to email, call, contact, etc for customers. This can be held up an enterprise level but also a brand level.
- Preferences: This is what channel the customer would like to contact through, so for instance it could be a phone call or an email, etc.
- Interests: This is what the customer has shown a gravity or attention to such as a subject, a topic, a white paper, etc.
How are enterprises and multi-channel marketing teams building for the future of GDPR?
This is a great question and I have yet to find a good detailed answer explaining a model best practice for a compliant GDPR consent capture system. The answer greatly depends how the technology is set up for large companies and how the many brands are capturing data from their suppliers. The challenge becomes not just one supplier but many suppliers with the integrated ability to communicate opt and consent status. The term consent gets thrown around with capturing preferences and interests which is great for a tactic level but too complex for an enterprise level.
What steps are you taking to become GDPR compliant?