What Marketers Need to Know About GDPR

(L-R, April Mullen - Selligent, Basil Alomary - Simon Data, Jon Chang - Kickstarter, Steven Dimirsky - Selligent)

GDPR (General Data Protection Regulation) is a complex topic affecting marketers globally as it becomes law on May 25th.  Although originating in the European Union (EU), it impacts US companies if any of their customers and their data comes from a country within the EU.

Selligent Marketing Cloud held a panel discussion on May 3 in their New York office on this subject featuring a panel of experts.  Moderated by April Mullen, Director at Selligent Marketing Cloud (and co-founder of Women of Email of which I’m a member), the panel featured Jon Chang, Digital Marketing Director at Kickstarter, Basil Alomary, Growth Marketer from Simon Data, and Senior Counsel, Steven Dimirsky, also from Selligent.

Here are some key takeaways if you are a US company currently grappling with GDPR:

1) Explicit customer consent is key.  According to Mullen, GDPR crosses the Atlantic and non-compliant companies could face steep fines (up to 4% of global revenue).  Keep boxes unchecked so customers opt-in and give permission saying, “I am okay with you having my data and I have control of how data is being used.”

2) Map out your data. Alomary said that US companies need to map out their data. “Who and what are you collecting and why, who has access to it?”  In addition, Dimirsky said that marketers in general need to be mindful of sources and storehouses of data – where is it kept and what are you doing with it? “Retention policy needs to be reasonable – do you have a reason for keeping it for that period of time?”  He said that 7 years is a rule of thumb in North America and  there is no law that requires keeping of data for more than 10 years.

3) Follow KickStarter’s GDPR plan.  Chang says it’s important to “assess vendor policy and their documentation as it pertains to GDPR.”  His company, Kickstarter, appointed data deputies in each department to audit how they collected data, where it was stored and how it was used.  They also talked with their users to assess what was considered private information.  Kickstarter used this information to build a preference center for customers around privacy.  He said the process was expensive but he thinks that Kickstarter is in a good position for whatever GDPR brings.

4) GDPR certification is evolving. Although there aren’t legitimate certifications yet for GDPR, Privacy Shield certification allows for data to be transferred from EU to US.  Dimirsky recommends checking out Privacyshield.gov/list (US Dept of Commerce) which lists companies that are compliant.  There is some pending litigation on the subject, including one in the Irish courts suing to invalidate the Privacy Shield.

5) GDPR is evolving and the data landscape will be impacted by it.  Enforcement will initially be focused on larger tech companies such as Facebook, Google, and Microsoft, but smaller companies need to get on board with GDPR, as countries such as Canada and Australia adopt GDPR (being part of the British commonwealth) and US states such as CA and MA introduce legislation, according to Dimirsky.

For more information on GDPR, Selliigent has a wealth of content on the subject.