Today is a good day to learn more about what GDPR means for your business.
The European Union’s General Data Protection Regulation, or GDPR, becomes effective on May 25, 2018. And while that is nearly a year away, operationally, there are a metric butt-load of things you’ll need to do to be compliant. (Yes, “metric butt-load” is a technical term.)
In this episode of the Rethink Podcast, we spoke with David Fowler, who is Act-On’s head of privacy, compliance, and deliverability. As David says, GDPR marks the biggest change to EU data protection law in a generation. And it applies to the EU’s 510 million citizens, as well as any business doing business with them, regardless of where they are based.
Enjoy the conversation, and we hope you can get one or two useful takeaways that you can bring to your business.
Nathan Isaacs: David, can you tell me more about what you do at Act-On?
David Fowler: I help our clients navigate the digital roadmap in terms of their obligations under local, state, federal, and international laws as it relates to digital marketing. I also ensure that when our clients hit the “send” button for their emails, the messages have every opportunity to get to the inbox. Digital compliance in 2017 is a very deep and wide field. If you’re a marketer in the US mailing to the EU, for example, your obligations are going to be different than if you’re a marketer in the US mailing to Canada. It’s our job to inform our customers of their obligations under those particular legislative roadmaps.
Nathan: One of the things we’re talking about today is the General Data Protection Regulation, or GDPR. Can you tell me what that is and what it’s all about?
David: The GDPR is a law that will go into effect in Europe in 2018, May 25th to be exact. And what it is, essentially, is a complete rewrite of the 1995 EU data directive. And for those of you listening on the podcast, there aren’t universal laws in Europe in terms of digital compliance. There are interpretations of the data directive, and each country can determine what their interpretation of that law is. So, as you could see, just that in effect itself creates this massive potential for confusion.
The GDPR is a universal law that will apply to all companies who have European citizens in their databases. That’ll be across the board for every country within the EU. It’s one law for 500 million individuals.
Nathan: For businesses based in the US or elsewhere in the world that are doing business with individuals in Europe, this applies to them. Is that right?
David: That is correct. And there are some heavy fines if you’re in noncompliance ‒ up to 4 percent of total revenues of a company. If you’re Google for example, what’s 4 percent of a trillion dollars?
Your Responsibilities Under GDPR
Nathan: A new law is applying to how I do business with individuals. What do I need to do as a business to be compliant?
David: It’s important to understand the responsibilities under GDPR. And in Europe, you have two flavors. You have the controller and the processor of the data. For example, you’re a client of Act-On. You would be a controller under the GDPR roadmap. And we [Act-On] would be the processor of your data. Our obligations under GDPR is to, A, comply with the law, obviously. But also B, build our products and services that allow you to comply with your obligations under GDPR.
It’s not our responsibility to ensure that you are compliant. But it is our responsibility to show that our products allow you to be compliant, meaning things like providing consent mechanisms, consent backup, double opt-in, all these types of things that we take for granted in terms of permission, our products should be to the point where they do that.
Using a marketing automation platform within the GDPR scope is something you as the controller of your data and your customers’ data will not only have to comply with, but also understand how you use the technology to do that. Now human rights, in terms of data and personal information and that kind of thing, there are a lot more issues that come to the table under GDPR if you’re the customer’s recipient of a digital relationship. Operationally, there are a lot of things you’d need to think about in terms of getting yourself ready for that. But ultimately, where the rubber meets the road, if you have a customer that you can’t prove how they got into your list, or you can’t prove where they came from, or you can’t prove the consent mechanism that was used to start marketing to them, then, essentially, you’d be in noncompliance under GDPR.
Operational Impacts of GDPR
Nathan: What are the operational impacts of the GDPR?
David: Great question. There are 10 areas that you need to think about from your company’s perspective in terms of getting prepared for the operational side of GDPR. Number one is data security and breach notification.
So, if you have a data breach, your obligation is to inform the DPA ‒ the data protection authority ‒ within a 72-hour window of that breach actually occurring or your being aware that that’s occurring. The mandatory DPO, or data protection officer, is something that is being implemented under GDPR, meaning if you’re a company of a certain size, you actually have to have an employee on staff who looks after your data protection efforts.
Data subject consent is a massive issue ‒ how you obtain consent from a data subject. Under GDPR, a data subject is the actual individual and not an anomaly. Cross-border data transfers is a big one. If you’re moving data around Europe or from Europe back to the US or wherever it may go, that’s something to think about. In terms of how it’s done from an adequacy perspective, under the current environment, the cross-border data transfer mechanism between Europe and the US is governed by a program called the privacy shield, and we are privacy shield-certified as a company. But there will be other entities that come to play to help that along.
Profiling and the right to reject will be a massive issue in terms of how individuals get profiled and how they have the right to object about being profiled; meaning, if I know that you’re wearing a white shirt today, I’m going to profile your shirt preferences, and maybe send you some white pants to go with that. As the individual, the issue is how you can manage that in terms of being able to opt out of that profiling moving forward.
Another big one is the right for data portability and the right to be forgotten. Under GDPR, the concept is that you as the individual have the right to take your data from company A and move it to company B in an acceptable machine-reading format, and also you have the right to have the fact that you actually ever had a digital relationship with that particular brand forgotten. So that’s a massive issue in terms of how companies are going to be able to comply with that and really deploy those types of strategies around those concepts. We’re still sort of getting our arms around that.
The seventh area is duties and responsibilities of controllers and processors. What is your responsibility under GDPR as a processor, which is Act-On, and what are your responsibilities under GDPR as the controller, which is the customer of Act-On. And they are two different issues in terms of some of the things that come to the plate with that.
Another issue to think about is the pseudonymization of personal data ‒ how I can take your data and make a bigger profile based on other third-party type entities that could plug into that, into your particular roadmap. Codes of conduct, how and why you have to act a certain way. And then finally, fines and procedures is a big issue; you could be fined 4 percent of the global revenue of your company if you’re noncompliant.
So, there are a lot of things from an operational perspective. And I guarantee you, if you have a privacy person, if you have compliance person, and those people aren’t talking to your tech ops or your engineering folks, then you need to start thinking about pulling those people together, because it’s going to take a village to get this thing done from an organizational perspective.
Individuals’ Rights Under GDPR
Nathan: What are the individuals’ rights in all this?
David: Yeah, that’s a great question. Because under the GDPR, the individual has the right to be informed, to be told, ‘I got your information from here, and this is what I’m going to do with it, and this is what I’m not going to do with it.’ The right of access, so you as the individual can get a hold of us and say, ‘Hey, my information’s not right, it’s incorrect, it’s inaccurate, and I need you to change that, based on the profile that you have about me.’ The right to recertification, meaning the same thing ‒ you could actually change or adjust based on what you know. The right to erasure: ‘Hey, Act-On please erase all these pieces of information about me,’ or, ‘Mr. and Mrs. Customer, please erase all this information about me,’ and how are you going to do that?
You have the right to restrict processing, meaning ‘Hey, I’d like to get emails from you, but I don’t want to get SMS.’ Or, ‘I’d like to get emails, but I don’t want to get texts’ … or whatever the case may be. And then the right to restrict data portability, meaning I go and take my data from company A and move it to company B. You could, in theory, have customers who leave on a Friday at 5 p.m. and then go to another company Monday at 8 a.m. And, technically, they should be up and running within that environment.
And then finally the right to object: ‘This is right, this is wrong, this is indifferent.’ And the right to relate to automated decision-making and profiling, meaning, as we are in the digital channel now with things like artificial intelligence, that you could start building profiles on people and subjects regardless of whether they know about that or not. You have to be very up front in terms of how you disclose that information and how you build those profiles.
What I envision is companies will be overcompensating for consent. You think about how you engage in a digital relationship today – disclosure, consent, and all these things that we take somewhat for granted. But the point is that I think you’re going to see a lot of profile pages and onboarding pages, where you’ll have no pre-checked boxes, but you’ll allow people to be able to say, ‘I would like to select this or deselect that.’ Pre-checked boxes on the GDPR is a complete no-no. It’s totally illegal.
And what I would be doing now as a marketer is, in your preparation efforts, when this thing goes live in May of next year, there’s going to be no grace period. Every piece of data you have on your file come May of 2018 will have to be compliant the day it goes live. So, you should start thinking now about how you either re-permission or get to the point where you start to disclose different things about the individuals as you get ready for the GDPR implementation. So, re-permission your lists, get your consent in order, start talking about disclosures, and that kind of thing. And so that’s what you should start embracing today.
Learning More About GDPR
Nathan: We’re talking about this now just so that people have an opportunity to start getting in compliance or putting in those mechanisms to be compliant, ourselves as well as anyone else. Is there a checklist?
David: Full disclosure, we’re not in a position where we could provide legal advice or guidance. But some of the data protection authorities within the EU are more vocal and have been more communicative than others. And a great example of a DPA that has put a lot of information out there is the ICO, the Information Commissioner’s Office of the UK.
If you go to their website, they have a ton of information in terms of what you should be thinking about, how you get yourself ready, and what your obligations are going to be next year.
Nathan: So, this is something to get the entire team discussing, from marketing to compliance, to legal and engineering, correct?
David: Absolutely. Because everyone’s going to interpret it differently. I mean the documentation is hundreds of pages deep. It’s extremely cumbersome. But it’s really a common-sense approach to a digital relationship. And it’s not just about the individual now. It’s also about how you do business with your vendors and how you hold them accountable for things. In some respects, it’s a framework for a common-sense digital approach for not only marketing, but also for opting out of certain things. It’s definitely something that you should be thinking about now. And if you haven’t, then you are a little bit behind the 8-ball.
Act-On will be producing webinars and datasheets and other content about GDPR throughout the next year. You can also email David if you have a question: firstname.lastname@example.org.