If you are 100% sure that you only serve non-EU citizens, then feel free to read a different blog post on customer data protection.
If like many of our clients, you have customers who are EU citizens, then hopefully you’re paying attention to the new GDPR regulations that will take effect on May 25th, 2018.
Let’s be honest. Despite having had two years to prepare for this, most companies on this side of the pond are getting caught with their proverbial pants down, as evidenced by Hubspot’s GDPR Last Minute Kit. So here’s a bit of a run down and a roundup on the latest in customer data protection regulations.
What is GDPR?
GDPR stands for General Data Protection Regulation. You can find a full text of the regulations here. It basically protects the personal, identifiable data of EU citizens no matter where the country holding the data is situated. So, if you’re storing EU citizen data in a server in Rwanda as a business in New Zealand, this still applies to you.
Why should I be concerned about it?
Like I said, if you serve any EU citizens, it applies to you. And if you
- send marketing emails,
- track website visitors,
- have a loyalty program, or
- otherwise, process large amounts of customer information,
you can be liable for fines up to 20 million Euros or 4% of your worldwide annual revenue. The EU is taking consumer data protection very seriously.
What should I do?
With all the data breaches in the news, this is a great opportunity to make sure your company is fulfilling the highest standards in customer data protection.
Here’s a starting list:
- If you think GDPR applies to you, you may want to appoint a data protection officer and/or hire someone to do a GDPR audit on your company.
- You can prepare for your audit by finding out
- What data does your company hold?
- Where does your company store this data?
- What is that data used for?
- Who has access to this data?
- Learn and document how companies you use are dealing with your customer data.
- For example, Salesforce and Hubspot both have dedicated pages to GDPR compliance including the changes they’ve made to their platforms to ensure that their customers are compliant. Any legitimate CRM or marketing automation software should be able to tell you what they’ve put in place to achieve compliance on their end.
- Document everything your company is doing to deal with GDPR
- One of the liability factors associated with GDPR is that they will be looking at if your company was aware of the regulation and what your company did to achieve compliance.
What does GDPR require?
Okay, for a full list of requirements, definitely refer to the regulations text. But here are some highlights:
GDPR includes data that can lead to direct or indirect identification of a person.
- Expected things like names, emails, phone numbers, addresses, biometrics
- Things you might not have thought of, like ip addresses, gender, job title, workplace, and physical identifiers
- Broad catchalls such as “factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity”
GDPR requires accountability and transparency in data processing.
- the kind of data you collect
- how that data is used
- how a customer can contact you to change how their data is affected (more on this later)
When choosing between permission first or forgiveness later, most are used to asking forgiveness later. The EU is ensuring that we ask permission first.
Consent and transparency are HUGE.
More on this in our post about GDPR for restaurant marketers, but companies are required to be very clear what they are using customer data for with a level of specificity not required before.
According to GDPR, organizations can collect personal data only for a specific, explicit, and legitimate purpose and only data that is necessary to that purpose. And the data can only be used for the purpose stated to the customer. So after May 25th, you can no longer automatically send marketing emails to customers unless they’ve consented to marketing emails. Part of complying with GDPR is tracking what customers have consented to and what they were told when they consented.
Customers have more rights regarding their data.
With GDPR, customers have the right to see the data you have on them. Any software you use to manage customer data must be able to export that data, in the event that an EU customer requests it, even if they are requesting it so they can give it to another company.
Also, customers have the “right to be forgotten”. This means that businesses only keep data as long as it is needed for the stated purpose and if a customer requests that you delete all their information, you must be able to do so.
Just treat your customers with the care and respect you’d give your grandma, and if you can say it out loud and add “MUAHAHAHAHAHA” like an evil villain to the end of it…you probably aren’t in compliance with GDPR.Don't be Dr. Evil when it comes to your customer's personal data Click To Tweet