How to Lose 4% of Annual Revenue by Ignoring GDPR
As you have most likely heard, on May 25th, the new General Data Policy Regulation, or GDPR, will be take effect in the European Union. GDPR primarily focuses on the rights of EU citizens to control how their data is used online and how companies must manage that privacy.
GDPR protects any person in the EU, or anyone interacting with an EU-based brand. For brands, that means you must comply with GDPR regulations when marketing or selling to any such person, even if your business is based entirely outside of the EU. While there are some businesses for whom GDPR does not apply, given the complexity of the law and the stiff penalties for failure, it is better to assume that you may be affected than to receive a nasty surprise down the line when one of your best customers moves to Italy and still wants your premium blue widgets.
What does compliance with GDPR mean? While GDPR builds on digital privacy laws already in place in the EU, there are a couple of new provisions including:
- Better disclosure: GDPR requires that you explain the data you are collecting in “clear and plain” language that can’t be confused with any other part of your terms of service and that customers explicitly agree to that information’s use.
- Improved data request response time: GDPR shortens the time you have to respond to information requests.
- Increased responsibility: It used to be only the people who collected information were required to ensure privacy. Now anyone who handles information must comply. (GDPR calls the first set “controllers” and the second “processors.”)
- The right to be forgotten: Customers can ask to have all their information permanently erased from your system and the system of anyone you have shared that information with. If you are the one that shared the information, you are also responsible if the information is not removed.
- The right to data portability: Customers have the right to receive a copy of everything you know about them in a form they can understand (GDPR calls it a “common format”.)
The penalties are harsh: fines can be up to 20 million Euros or 4% of your business’s annual revenue (whichever is greater) for failure to comply.
As a Google Partner, Delve has been keenly interested in understanding how Google will be responding to GDPR.
In preparation for GDPR, Google has been making updates to Google Analytics and Doubleclick in order to respond to the much higher levels of consumer control guaranteed by GDPR. They’ve shared their own actions with partners and if you’re currently working with Google, you probably have received emails prompting you to agree to new Terms designed to comply with GDPR requirements. You can use their actions as a guideline for what you may need to update as well.
Google has updated its Terms of Service and User Agreements to comply with GDPR.
Reminder: GDPR requires plain language explanations of data collected when a user lands on site, as well as plain language explanations of how that data is used. GDPR also requires an explicit opt-in, and will no longer allow implied consent.
|Review your Terms of Service with an attorney who understands GDPR and ensure that it uses the clear and plain language required by GDPR. Request that each user review and agree to the Terms of Service.|
Make sure you secure explicit opt-in from users landing on your site prior to dropping cookies.
Make sure what users are opting into is clearly explained in plain language, and that a document detailing how their data will be used is readily accessible for their review.
Make sure users are able to opt out of tracking as easily as they’re able to opt in.
|Google has updated its security, and will be utilizing annual reviews to insure compliance.|
Reminder: GDPR requires that data breaches are reported within 72 hours of discovery. Advertisers will be held responsible for misuse of any stolen data.
|Audit your security processes and data governance protocols.|
Rewrite processes as needed to ensure the data you’re capturing is securely stored, and impenetrable by outside influence.
|International data transfers handled by Google are also updated and in compliance.||While you may not handle international data transfers on Google’s scale, we still recommend that you get your own independent legal advice. If you’re working with an agency, be sure to ask if they have done this work as well. (If you are an agency, this all applies to you too. Talk to your clients about GDPR.)|
This is a great deal of speculation out there about GDPR and how much US companies really need to pay attention. But the bottom line is this: do you really want to be the one who tests the law? Let the Googles, Amazons and Facebooks of the world fight court battles to define precisely who is or isn’t covered by GDPR. Protect your business by being proactive and assuming you may be liable. If nothing else, customers will appreciate the greater transparency about their data.
Hubspot created a nice GDPR primer that goes much more into depth than the highlights we’re including here.
Google has prepared a page addressing GDPR security if you’d like to understand more about their response.
The full text of GDPR, if you’re interested in absorbing the details of the law.