• by Ray Schultz , Columnist, August 10, 2017

It’s nine months and change until the European Union’s General Data Protection Regulation (GDPR) takes effect. U.S. companies that do business in Europe are scrambling to comply — above all, they have to get consent up front to even have data on people.

Evidon says it is helping them. In July, it launched its Universal Consent Platform, which can facilitate compliance across desktops, mobile web and in-app, it claims. The product also can help firms get through the thicket of data suppliers and make sure that the law is being followed.

To get a handle on GDPR, Email Insider interviewed Evidon CEO Scott Meyer.

Formerly known as Ghostery, Evidon was acquired earlier this month by Crownpeak, a digital experience management company. The majority of the purchase was backed by K1 Investment Management, an investment firm that specializes in enterprise software companies globally.

With the additional buying of ActiveStandards, K1 has invested over $100 million of equity in the combination, and has additional capital available.

What’s the biggest problem with the GDPR?

The first thing is data mapping. What data am I actually collecting on EU citizens? What does my supply chain look like, and where do my services fit into my client’s supply chain? Every company has this messy digital supply chain, with all these vendors. It’s hard with programmatic ecosystems: You have to understand who’s in there and what your business relationship is like. Sometimes you may not have a direct relationship with them — maybe it’s through an ad agency. 

What is the basic requirement of GDPR?

You have to get prior consent — for email and other first-party data sets. You have to let people exercise their data rights: the right to be forgotten, the right to erasure, the right to modify.

What does Evidon bring to the table?  

Our universal consent platform combines the different pieces, and we bring it together in a user-friendly interface. If you do this with a silo approach, it will destroy the user experience.  

Do all U.S. companies have to comply? 

No. The GDPR is based on where the user resides, not where the company is located. So technically, any data you have on any European citizen could expose you to this risk. In reality, it’s a matter of degree. If a European lands on your site and you’re not doing business with them, the likelihood is fairly low of your being at serious risk just being based in the U.S. But if you do business with European citizens, you have to be on top of this.

What does this mean for email marketers?

In the email space, you have to be on top of the data supply chain so you know what other data is being mixed in with yours. And you have to get their consent and provide an unsubscribe -- a way for the user to withdraw consent. The problem is, you also have to ensure that the contracting company is transmitting the consent they received back to you. It’s a two-way connection that probably is not there as cleanly in the email space.  

Isn’t the email address a pretty clear identifier?

The email address is personally identifiable information. Somebody had to give you consent, theoretically. You have to find out where it was given, and if it’s for a European citizen, and make sure that it lives up to the law. The law requires that you’re set up to provide the ability to opt out and collect the proper consent going forward.

Do you have to get rid of that data?

You’re not going to have to erase it and start over again -- you’re not required to purge existing data. But starting on May 25, if anyone asks you to delete or modify, etc., you have to be able to do that. And you will have 28 days to give them what they’re looking for.

But some companies are — didn’t one firm completely erase its database?

I don’t know the details, but that may be because how they acquired it wasn’t so awesome in the first place.

Let’s say you match an email address with a postal address -- is that a problem? 

If that email and postal match, it means someone had to open an account with you to ship them a product; it shouldn’t be an issue. But how much you share downstream with other partners — that’s where it gets interesting. You have to correct the consent from the customer when you do it. What’s your legal basis for collecting the data?

What are the penalties for failure to comply with the GDPR? 

The fines start at 20 million euros and go up from there, up to 4% of your global revenue. It’s huge. If you’re the email tech provider, and you’re the reason for the fine, the company is going to stick that on you. What’s coming is a massive set of contract negotiations to determine who’s got the liability. It’s like a Full Employment Act for lawyers. 

Should you work only through European vendors who understand the GDPR?

There’s no requirement that it has to be based in Europe. What is important is that company has a clear understanding of how to do business there. One of the ironies of the GDPR is that some part of it is meant to improve the competitiveness of European technology companies. But the cost to small companies may lead to a flight to bigger companies because buyers may have more confidence that they have this privacy stuff figured out. 

Are you better hiring off a European lawyer?

You’re better off hiring a privacy lawyer who knows what they’re talking about. There are some good attorneys out there and some people who are passing themselves off who really don’t know anything. The dumbest thing you can do is not get prepared. They will be looking for companies that are not taking it seriously.

Do you think some U.S. companies will simply stop doing business in Europe?

Some companies will. But it’s just as likely that companies will eliminate products before they pull out of specific markets.

Are all countries going to be implementing this in the same way?

There are always going to be variations among nations. The EU member states are going to have fairly wide latitude of how strictly they enforce it.

Does Brexit mean you can evade the GDPR in the UK?

No. The UK has already said they’re going to comply with this as if they were still in the EU. Second, it’s not clear when full Brexit will happen. It’s a pretty long time, maybe two years. There may be a year or more where the UK is still in the EU.