Analytics & Digital Marketing Tips

Avoid Penalties and Build Trust by Becoming GDPR Compliant

Avoid Penalties and Build Trust by Becoming GDPR Compliant

February 9, 2018           Analytics, Data Management

Disclaimer: I am not a lawyer and this blog post is based on my own research and interpretation of the General Data Protection Regulation (GDPR) and e-Privacy Regulation. You are advised to seek legal counsel that specializes in the GDPR and e-Privacy Regulation to ensure that your organization conforms to these regulations. GDPR is complex and interpretations vary. If you have questions or suggested clarifications, please comment and provide sources, as appropriate.

Countdown to GDPR

What is GDPR and Why Should I Care?

The General Data Protection Regulation (GDPR) is a European Union (EU) data privacy regulation that puts the customer/individual in control and it goes into full effect on May 25, 2018. The purpose is to consolidate privacy regulations across the EU.

Monetary administrative penalties of €20 million or 4% of worldwide revenue if your organization is not in compliance (even for US companies with EU customers).

Even though this is regulated from the EU, it impacts businesses from the US and other locations that are doing business with EU citizens (this also includes the UK as the Brexit has not yet occurred as of the writing of this blog post and will likely include similar legislation to protect its citizens once completed). There are monetary administrative penalties (fines) of €20 million or 4% of worldwide revenue if your organization is found to not be in compliance. Yes, even if your company is based solely in the US and has EU customers.

The full details of the GDPR are overwhelming. While you can of course read the original source and try to interpret the legal-speak, you may want to have a peak at ‘The GDPR in Plain Englishto supplement your understanding.  

Not Specific to Digital Analytics

GDPR is not specific to Digital Analytics data and all data from your organization is subject to it.

GDPR is not specific to Digital Analytics data and all data from your organization is subject to it.

Thus, it is possible that your organization is already working on GDPR compliance/adherence at different levels/areas and I would advise that you become a part of the conversation within your organization.

3 Simple Points to Understand

From a Digital Analytics and Digital Marketing perspective, here are the three most important points to focus on:

  • Expanded Definition of Personal Data — The GDPR explicitly defines online identifiers (in Recital 30) such as IP addresses, cookie identifiers, GPS locations as PII. In the UK, a postal code may be so granular that it identifies one person or ten people. Name, email, phone, etc are of course still PII.  Further, GDPR recognizes the concept of “pseudonymizationwhich is a practice that may include User IDs and/or encryption/hashing of data to make identification of an individual less likely without combining it with another data source.
  • Explicit Consent & Transparency — No more pre-checked boxes or inactivity to assume consent; your customers must explicitly opt-in. They must also be able to easily change their decision afterwards (opt-out).
  • Right to be Forgotten — Personal data must be erased upon the request.

Critical Definitions

The GDPR contains the definitions of a Data Controller and a Data Processor. Simply put, the Data Controller is often your own organization, since you control the purpose and which data is collected.

The Data Processor (from a Digital Analytics perspective) is often your vendor, such as Google Analytics. The Data Processor processes data on behalf of the Data Controller.

GDPR and Data Governance

GDPR and Data Governace

GDPR is part of a solid data governance practice since it deals with security of data, processes around data, and data management.

For example, what processes does your organization have when a new request is made to add a new advertising pixel onto your site? Is this reflected properly in the privacy policy and consent dialogues? Do you understand what data is sent to this vendor, how they use it, and if they are compliant as a Data Processor? Your obligation as a Data Controller puts you in the hot seat to have a full understanding of that data being sent and how it is used.

Not Prepared? You’re Not Alone

The deadline of May 25, 2018 is approaching quickly and will be here before we know it. If your organization isn’t prepared, you are not alone.

According to a recent HubSpot survey of Marketers, only 36% of them had heard of the GDPR and 22% admitted that they haven’t done anything yet to prepare for the GDPR. HubSpot’s survey also looked at consumer’s attitudes about the GDPR in the EU and found that 81% agree that the GDPR is a good thing (and 90% agreed after learning about more about the GDPR).

Organizations “should also see GDPR as an opportunity to provide what today’s consumers want…”

If your customers in the EU want this regulation, then you need to be taking action to evolve your data privacy practices to be ready (and again, the fines of ignoring this are substantial, so hopefully that is your motivator if you think you know better than your EU customers). Jeff Lunsford, CEO of Tealium, stated that organizations “should also see GDPR as an opportunity to provide what today’s consumers want — clarity and processes that put their individual rights first.” Further, it is almost guaranteed that other countries/regions will adopt similar regulation. There’s even been movement on this in the US and Asia.  

Bottom Line: GDPR is happening and your organization must take action to be ahead of this to provide the data privacy controls that your consumers are asking for.

Bottom Line: GDPR is happening and your organization must take action to be ahead of this to provide the data privacy controls that your consumers are asking for.

e-Privacy Regulation Overshadowed

e-Privacy Regulations

To make matters even more complicated, the buzz word of GDPR is overshadowing the EU e-Privacy Regulation. The aim of this regulation is to go into effect at the same time as GDPR; though reports state that this is unrealistic given the lack of progress on it at this time.

While you’ll need to directly research the provisions of this regulation (and be aware that things may still change from the current draft), one of the most visible changes will be that those cookie consent pop-ups/overlays will be no more. They will have to go away as the browser settings are leveraged to indicate consent (privacy by design per the Do Not Track settings). This could potentially revive the Do Not Track (DNT) browser setting that has been largely ignored by marketers for years.

GDPR is an Opportunity for your Brand to Stand Out

GDPR Brand Opportunity

Turn this potential business threat with GDPR into an opportunity for your organization to build brand affinity. The sooner you are GDPR compliant, the more likely you will be seen as a leader that cares about your customers and you’ll gain a competitive advantage.

We expect that both EU and non-EU customers alike will use adherence to these privacy regulations (GDPR and future regulations being discussed) as a measure to size up how safe their data is and ultimately, how much they trust your brand.

If your organization is not making progress towards this solution prior to the May 25, 2018 deadline, please engage in the conversation by sharing your questions and comments below. Or reach out to our team to learn how we can help accelerate compliance.

In a follow up post, I’ll provide actionable tips for how you can become GDPR compliant using Google Analytics.

 

  • Gindylow

    Am I the only one thinking that GDPR is clearly a disaster, as a small Design and Web Business it seems ridiculous to expect small business to be compliant from day one, given that the likes of Google, Amazon etc. have yet to publish cast iron, workable procedures for us to follow. Nothing I say or do will influence how Google proceed, nor will it speed up their deployment of a workable system for us to follow.

    Google analytics should by default be switched over to respect DNT requests at the browser level, without everyone having to run around like headless chickens on May 25th. Online privacy always has been a combination of large corporate over reach, and almost total lack of user skill combining to create mayhem.

    How for example will Cambridge Analytica be held responsible, alongside Facebook for what is clearly massive exploitation? How are small, straight forward web design companies expected to fix what is broken on the internet when big business does little or nothing in a timely manner.

    It only takes one look at Cloudflare’s GDPR statements to see that, as ever GDPR has turned into a corporate sales opportunity, rather than directly solving the issues of privacy. We can all list gross corporate Data breeches by the likes of Sony, Facebook, Adobe, Yahoo and yet it is clear that online identities are still no safer today than they were a decade ago.

    Lastly we only have to look at the mess created by the NSA, GCHQ, CIA, MOSSAD et al. and the Ed Snowden affair to see that web connected, cloud computing et al are heavily back-doored by state level actors. The holes left open by these agencies in online software, hardware and operating systems are also there to be exploited by so called black hat’s.

    GDPR is a disaster in my view, a very blunt instrument with huge financial implications. As a final question, how for example will your own website demonstrate that you have an implicit consent from DISQUS users to publicly publish our comments in this post article chat? In fact taking a closer look at the Ublocker listing for this website highlights quite a list of trackers and CDN’s and yet at no point have I been asked for consent?

  • @gindylow:disqus Thank you for your comment! I agree that the burden on small businesses are quite large. That’s one of the reasons why I’ve been speaking and blogging about this topic, so as to provide hopefully clearer information and actionable steps.

    I do think that the intent behind GDPR is positive. It speaks a lot to the side of data governance that is often not in place (at small and large organizations alike). This can/should be leveraged to build trust.

    Regarding our own site, we are in the process of moving the site over to HTTPS to support communication over SSL. The Disqus plugin itself is loaded into an iFrame where communication does take place over SSL. We are also in the process of building consent management for opt-in/out for visitors to our site in order to comply with GDPR (at a minimum for our EU visitors; based on geo-ip identification). If a user does not consent, we won’t be loading the various marketing technologies on our site. To your point; this all takes time.

  • Gindylow

    Hi Joe and thanks for your reply. Moving to SSL was one of the things I implemented early last year in a long chain of processes to become GDPR ready. This included having our hosting company move our sites onto newer platforms to support the higher requirements for PHP and SQL in WordPress.

    We then implemented LetsEncrypt SSL’s on each domain in turn at the free level using CloudFlare as our host still hasnt adopted LetsEncrypt to their shared hosting platform.

    We’ve moved to FTPS and encouraged clients to move to Encrypted email connections. Since then I noticed that Cloudflare have suggested that the entry level accounts will not be ratified as GDPR compliant! This is a major speedbump in our rollouts.

    Earlier this week I wa looking at Google Analytics and made some changes, then the following day Google announced further progress and changes.

    I agree Data protection is important, I’m all aboard on that score, it’s just incredibly diificult to have a small business ready on time, when the Large companies look as though they wont be ready until the dealine either.

    Where things will be difficult for us will be the logical catch 22 situation of a user requesting deletion and no tracking, but not allowing us to place a Cookie on their machine to store their preferences…

    Thanks for writing on the subject, it’s useful to us and no doubt many like us to be able to discuss it, read about it and generally bounce ideas.

    I wonder how quickly the EU would consider bringing GDPR prosecutions after day zero is passed and how quickly the US will implement similar law as a result of the recent Facebook headlines.

  • QQ

    I won’t go into how so many aspects of what I’ve read about GDPR are DUMB (not an acronym), and so many things wrong with it.

    Scenario: USA company with USA based website. EU visitor comes to site to purchase service or product. Website states it follows only US laws and regulations, and is not bound by outside US regulations or laws, and visitor must accept this, and that visitor must accept being bound by USA laws and the state’s laws to purchase service or product.

    Comments on the above scenario?
    The above is essentially is saying to the visitor to accept being bound by only US laws, and waive any rights or obligations of outside US laws.

    It seems to me that companies and websites have the option to NOT be GDPR complaint without risk of fine. If someone wants to purchase a service through a website of a US based company, then that company has the right to state which laws it follows and which laws and courts the visitor (buyer) are bound by.

    I also do not see how a EU state, the ICO, or any other entity outside of the US legal system has any authority upon a US company, or can force upon a US company anything. They can say to the a US company that you are fined, but that does not mean they can collect that fine or legally have rights to that fine in the USA.

    You can try to force the concept that the US company is doing business in EU by providing service to a EU citizen, but NO, it’s not the case IMO. The EU citizen has chosen to purchase from a US company and is doing business in USA essentially.

  • QQ

    Am I to understand from your article that after a EU citizen (Customer) gets online services for years from a US company (or their website(s)), and then the Customer can ask that his/her account information be deleted? BS! If so, then F#@#[email protected] GDPR and [email protected]#[email protected]@$ EU. Absolutely absurd to ask a company to delete financially related account information, or any account profile information. Those things are essential for a company to do business, provide services, sell products, do their taxes, have legal support documentation, and all the post-sales and future business related analysis, etc.

  • @disqus_kCRdndwm4m:disqus Good questions.

    If you provide goods/services to EU citizens, such as shipping products to those countries, then you should work towards compliance. If you don’t, then you probably shouldn’t worry about it.

    Regarding how GDPR works in potentially fining a US-based company, read this article: https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-companies-for-violating-gdpr under the heading ‘How EU regulators can fine you’. The answer to your question is that international law and cooperation between enforcement agencies.

  • @disqus_kCRdndwm4m:disqus I suggest consulting with a lawyer on this. My understanding of GDPR is that if you have legal requirement (accounting purposes, etc), then you do not have to delete that data. We’re more talking about data about an individual that isn’t essential to those obligations.

 

Connect with Blast Analytics & Marketing