• by Jess Nelson , August 29, 2017

Brands have nine months to prepare for the General Data Protection Regulation (GDPR) in Europe, or face severe fines for data security breaches.

GDPR goes into effect on May 25, requiring any company marketing to European countries to adhere to stricter standards of data collection. If left unaddressed, previously trivial data collection practices could pose significant financial risk to organizations. 

Marc Shull, SVP of social and disruptive marketing strategies at Yes Lifecycle Marketing, says that now is the time for marketers to adjust their strategies. If they don’t begin to review their program policies, vendor agreements, and data management practices soon, they won’t be ready for GDPR to go into effect. 

“Costs could be devastating to many business, or at least get a lot of people fired,” says Shull.

Shull warns brands to not drop the ball on GDPR, as a lack of compliancy could have steep consequences. Shull thinks that Europe will be “looking for a poster child” for GDPR, and wages fines could even beat the record $2.7 billion antitrust fine slapped on Google by the EU at the end of June.

The level of consent and control that GDPR requires is widely different than the data privacy rules in the United States, but U.S.-based organizations are still required to comply with the legislation when communicating with consumers based in Europe. 

A central piece of the legislation is the ownership of data and the “right to erasure.” GDPR effectively gives European citizens ownership to their own data. GDPR grants consumers the ability to request to see what data a brand has on them, and requires companies to delete all of a consumer’s data if they request it. 

Effectively erasing all data is not an easy task, so data “needs to be automated,” says Shull. “There can be no orphan email lists running around.”

Any data point tied to a specific individual counts under GDPR, says Shull. Depending on the industry and company, that personal data could vary, from social media handles to pre-existing medical conditions.

This means that siloed data will be a major concern for brands, as GDPR compliance requires control over data. As a starting point, Shull recommends that every brand conduct a data audit of their organization, begin training employees on GDPR compliance, and consider hiring a data protection officer.

A data audit is important because “until you know what needs to be fixed, you don’t know where to start,” says Shull. He recommends that marketers treat all customers as if they are European -- it may not be practical to segment out Europeans, and most marketers do not track nationality.

Shull says “certain things” about the law “are very clear, but there’s a whole host of things that aren’t.”

As is the case with any law, the legal specificities of GDPR can be tricky. It all comes down to the wording of the law and how that wording is interpreted. 

For example, the data retention portion of GDPR restricts companies to only keeping data as long as it is necessary. But the law does not define what quantifies “necessary,” and any marketer will likely argue that keeping data longer is necessary for the sake of personalization.   

Shull also sees potential issues arising around product recall and safety notifications. What would happen if a consumer asked to be forgotten by a company that then had a massive recall? How do you notify a forgotten individual?

Because of the legal implications, Shull advises brands to conduct their internal data audit with legal counsel.