European Union Data Protection Regulations: Coming Soon to a Theater Near You
- As suspense builds around the EU Data Protection Regulations, marketing orgs feel stuck in a thriller film waiting for the new regulations to arrive
- The EU Data Protection Regulations apply to all companies doing businesses within the EU
- Marketing teams should work with marketing ops to determine what in-house process and infrastructure changes are required to comply
I love the movie Jaws. No matter how old I get, I still get tingles down my spine every time I hear the music used to announce the imminent arrival of the shark. “Dum, dum … dum, dum …”
As suspense and concern build around the planned European Union Data Protection Regulations, many marketing organizations feel they are stuck in their own thriller film waiting for the new regulations to arrive. And it’s not just inside the EU either. Marketing teams around the world are in the same boat; the EU Data Protection Regulations will apply to all companies doing businesses within the EU, regardless of where they are located.
So, how long will we have to wait? According to the European Commission, the goal is to have things wrapped up by the end of 2015. Once that’s done, there will be two years allotted for implementation across the EU. That doesn’t mean, however, that businesses can simply ignore what’s going on. While the final regulations may not be imminent, the EU has already made its guiding principles very clear. Marketing teams would be wise to look at these now and begin working with their marketing operations team to determine what in-house process and infrastructure changes are required in order to comply.
Here are some of the principles the European Commission reinforced in its January 2015 statement:
Getting Explicit Consent From Individuals
An individual’s consent will be required to store and use his or her personal data. This includes his or her name, email, phone number, title, company, and address. Their consent must be given explicitly, not just assumed as implied. Consent can also not be transferred to you from a third-party data broker.
An Individual’s Right to be Forgotten
Any individual will be able to request that his or her personal information be deleted as long as there is no legitimate reason for the data to be retained. This goes beyond the type of personal data discussed above. It also includes an individual’s digital profiling information captured in a marketing or sales force automation platform. Simply marking an individual’s record as “Opt Out” in the marketing database will not be sufficient.
Putting Data Protection First
“Privacy by design” and “privacy by default” will need to be built into all products and services, even tools such as online trials offered by marketing as a demand creation tactic. Data protection processes will need to be built in from day one.
Handling Security Breaches
Businesses will need to inform individuals without undue delay about any data breaches that could adversely affect them. They must also notify their local supervisory authority of any serious data breaches as soon as possible.
One-Stop Shop for Help
The new regulation will establish a single, pan-European law for data protection that will replace the current inconsistent and difficult-to-navigate patchwork of national European laws. The EU will also establish a “one-stop shop” mechanism for businesses, ensuring they will only have to deal with one supervisory authority regardless of the number of EU countries involved.
Non-EU Companies Must Also Comply.
Today, European based companies have to adhere to stricter standards than companies that are based outside the EU, but are also doing business in the EU. With the new regulations, companies based outside of Europe will have to adhere to the same rules as EU-based companies.
The data protection supervisory authorities will be able to fine any companies that do not comply with EU rules for up to 2 percent of their global annual turnover. There is also discussion of raising this limit to 5 percent of global annual turnover. This will mean that fines can quickly run into the millions.
While all this may sound scary, the fact is that the single EU directive will bring about positive change. The new laws and transparency will help address the lack of trust customers have today about sharing their personal information online. It will also mean marketers will need to offer prospects truly compelling reasons to become engaged or prospects will simply not agree to share their personal details. As such, companies that are able to establish personalized and relevant exchanges with their prospects will have a strong competitive advantage over those that continue to broadcast generic marketing messages.
There are steps businesses can take now to start getting ready. In my next blog, I’ll share some ways in which companies can start thinking about and planning for the changes they’ll need to make in the coming months.