The EU’s General Data Protection Regulation (GDPR) is THE hot topic on the legal/privacy conference circuit. Common questions echo sharply through industry panels, roundtables and keynotes.
How will global companies prepare?
What are the key issues?
What is the impact of Brexit?
While finding the answers is definitely important, it is often more helpful to step back and look at the whole landscape. See the ocean, before jumping in the water.
First, let’s look at why GDPR is here in the first place.
Harmonizing EU Data Privacy Laws
The jumping off point in any GDPR discussion is typically personal data collection and use. However, to really understand why GDPR is here, we need to look more closely at the fundamental differences between the historical and legal approaches to data protection in the EU and United States.
Europe’s privacy approach is grounded in its experiences during World War II—dealing with fascist regimes that used personal information to single out ethnic groups. As a result, in the EU, personal information requires deep, fundamental protection. This has extended to the legal regimes covering the use of personal data. Unsurprisingly, the US takes a more capitalistic approach and the US Constitution doesn’t have an explicit privacy right. Instead, we have to look to a few specific sections to glean privacy rights and regulation.
For US based companies doing business in the EU, it’s crucial to pay attention to the history and view of personal data. EU citizens believe in the right to feel that their data is secure, cared for and that they will have access to their data if needed. This is a particularly relevant fact when companies hold truly personal information like names, addresses and national ID numbers. But, GDPR brings “tracking data” into the category of personal, which includes browser cookies, mobile device IDs and IP Addresses.
What does this mean for you? Creating effective, directed advertising campaigns in Europe will require more thought and structure. This is an area where advertising technology providers (like DataXu) who focus on data protection as a key element, can be helpful.
Opt-In To Advertising
With the implementation of GDPR, using data for advertising in the EU will require extra attention to data collection and use practices. It will also force advertisers to be more thoughtful about the mindset of the EU consumer in a slightly different manner than the US consumer. For example, in the US we have an “opt-out” approach when it comes to data collection and use in advertising. Under GDPR, while not yet solidified, the EU could very likely move to an “opt-in” approach, which could greatly affect strategy around advertising.
It is important to note that GDPR does allow for the processing of personal data by a company if doing so is in the company’s “legitimate business interest” and direct marketing is one delineated example in the GDPR text. However, the right of an advertiser to utilize 3rd-party ad technology providers is not clearly addressed.
Irrespective of the final decision, we need to prepare for opt-in consent and GDPR compliance.
5 Items To Prep For GDPR Compliance
Preparation means ensuring that your company, as a whole, is GDPR compliant. This means accomplishing several big tasks between now and May of 2018:
- Full Data Mapping: detailed logs of the processing of personal data, its movement and storage.
- Privacy By Design: building a program where privacy fundamentals are integrated into product development, marketing and sales.
- Strategic Partnerships: ensuring that all partners where GDPR is implicated have been vetted and are subject to terms which govern compliance obligations.
- Up-To-Date Policies: updating all policies and procedures to comply with enhanced GDPR requirements.
- Product Development: building technical products or features to provide applicable levels of data access, control and erasure.
These tactical challenges and preparation guidelines are the work of DataXu’s Team Voltron. Interested in learning more? Check out our EU webinar The Marketer’s Guide To GDPR, where we discuss these challenges and how they relate to European Marketers and the marketing/advertising ecosystem.