Countdown to GDPR: How it affects Canadian marketers

You may have noticed the onslaught of privacy policy emails going around last week. Twitter, Facebook, and other social media platforms are on serious damage control in response to the European Union’s General Data Protection Regulation. Don’t let the “European” part fool you, the EU GDPR will affect businesses and marketers all over the world. Luckily, it doesn’t kick off until May 25th, 2018, so you have more than enough time to prepare.

Here’s what you need to know.

What is the GDPR?

The GDPR  is a regulation governed by the European Commission that aims to strengthen and unify data protection for individuals within the European Union (EU). The GDPR also regulates the export of personal data outside the EU. When it takes effect, new regulations will establish new requirements for companies that collect, use, and share data about EU citizens.

The GDPR gives EU citizen’s the right to:

• Access their personal data
• Know how it’s being used
• Ask for errors to be rectified
• Restrict the processing of their data
• Obtain their data
• Object to certain uses of their personal data
• Request their personal data to be erased
• Request an explanation about automated decisions

The GDPR also requires companies to notify users of a data breach within 72 hours of becoming aware of it.

Should Canadian marketers care about the GDPR?

If your company collects, uses, or shares the personal data of European citizens, the GDPR applies to you. Whether your company has physical operations in Europe or not, business owners should prioritize making the necessary changes.

If you’re feeling a little dangerous and decide to ignore the GDPR, you open yourself up to some hefty fines. Hefty to the tune of €20m or 4% of your company’s global annual revenue – whichever is more.

This isn’t iTunes asking you to agree or decline. You actually need to care about this.

As a Canadian marketer, what should you do?

Make a list of all the places your organization collects data

The Financial Post noted that any interaction with EU Citizens could have GDPR implications. “It could be an email address or phone number, or some exchange at the cookie level of an EU citizen. Some of the information you collect could easily fall under the regulatory rule set.”

To get a full understanding of what you’re dealing with, make a list of interaction points referencing anything that involves user information. This includes website interactions, app interactions, text interactions, phone interactions, and so on.

Appoint a GDPR expert on your team

In some cases, it will be obvious where Canadian companies collect EU citizens’ data. For example, when a European customer gives their information on an e-commerce site, their billing address will identify them as an EU user. Easy.

Unfortunately, not all instances will be this simple. For example, the GDPR “may apply to companies that track the online activity of EU citizens, potentially including those companies doing it for targeted advertising purposes” warns Kirsten Thompson, a law partner at McCarthy Tétrault LLP. What does that mean for AdRoll prospecting? What about targeting on LinkedIn? Appoint an expert on your marketing team to find all the answers and ensure you’ve got a handle on your touchpoints.

Clear communication is critical

Learn from the recent mistakes of Facebook, transparency is in right now. Update your privacy policy and notify your email lists of any changes. Don’t break out the thesaurus or practice your lawyer lingo. You’re not trying to trick anyone. This is about being straightforward.

Check out Instagram’s notification. Sure, you’ll need to scroll, but no one’s getting a hand cramp making their way to the bottom. On top of that, they’re clear in their phrasing, keeping things simple and doing away with the curveballs.

Set up a response protocol and response team

What happens when an EU citizen asks for their information to be removed? Who’s stepping up to the plate?

Along with a GDPR expert, you’ll need to line up a response team and nail down your protocol. Who’s responding to emails? Who is fingers to the keyboard? What goes into the process of removing data from your systems? Depending on the size of your company, this could be a large task with a lot of moving parts. Best get to appointing!

No time to spare

May 25th is coming up fast! It’s time to batten the hatches and get to the basement. As with any new policy or regulation, it’s important to gain a firm understanding and be proactive. Group your team, round up your databases and talk to your marketing agency about any and all campaigns.  Follow these steps and you’ll be just fine. Put it off and risk being fined. Good luck!