Europe s General Data Protection Regulation (GDPR) and Your Marketing Efforts

Transcription

1 Europe s General Data Protection Regulation (GDPR) and Your Marketing Efforts

2 Europe s General Data Protection Regulation (GDPR) and Your Marketing Efforts On May 25, 2018 a new set of rules regarding how companies collect, retain and utilize the personal information of European residents will take effect, along with hefty potential fines if those laws are not adhered to. As such, if you explicitly market to people in the European Union (EU) and/or the United Kingdom (U.K), the importance of evaluating how you collect and use customer data can not be understated if you want to save yourself from (at the very least) future headaches or (at the most) financial/legal hardship. General Caveats In an effort to best help our clients, we ve put together this document based on things we ve learned about GDPR, and how it will/can impact many businesses around the world, including 78Madison. Note this document is intended to serve as a starting primer in helping our clients understand what the GDPR is and how it might impact your business, as well as how we may assist you in achieving compliance. An important disclaimer from 78Madison: We are not attorneys, and the information shared in this document is not and should not be looked at as legal advice. It is simply a document meant to help our clients and partners lay a foundation of understanding how you might be impacted and what types of issues will likely come into play, in order that you may have a more informed position to start from when engaging with the actual decision-makers for your company. What is the GDPR Have you ever received an or direct mail piece that is targeted to your name, and you thought I know for certain I didn t agree to receive that kind of marketing? I m sure you have, because we all have. In order to combat this type of unsolicited intrusion, the EU and U.K. have passed what is called the General Data Protection Regulation (GDPR) setting up a framework of how personally identifiable information for EU and U.K. residents must be managed. This framework offers EU and U.K. residents a number of new rights and sets up requirements for companies that manage the information on EU and U.K. residents (along with some theoretically extremely steep fines). These requirements not only impact companies doing business in Europe, but also to U.S. companies who market to EU and U.K. residents. As a result, it behooves most American companies to do an assessment of how they collect and manage the data of people to whom they market.

3 What types of things do I need to take into consideration? Can you document exactly how and where you obtained each user s personal information, and whom you share it with? If you obtained the information from a third-party, what methods did they use to obtain the information? Did they obtain the information from a legitimate opt-in form? The GDPR lays out an accountability principle, where if someone files a complaint against you, you need to be able to show how you came into possession of their information (or how you were authorized by them to use or share that data). Did you effectively outline your privacy policy in simple to understand terms? The GDPR frowns upon linking people to lengthy legal-driven Terms of Service type documents that frankly require an attorney to understand. They prefer a simple explanation of how the data will be used at the time of signup. Do you have the ability to tell a subject (if requested) how you obtained their data, and what marketing materials have been sent to them? Do you have the ability logistically to respond to such a request in a timely manner? Does your privacy policy outline the lawful basis you have for processing data? While this seems quite ambiguous at the moment, the open-endedness of this language could have implications in the future if what s deemed lawful about how data is processed is altered. Consent Can you provide documentation showing consent for user data to be held for every person to whom you market? Consent must be freely given, and specific about the types of marketing materials they will receive. It also must be informed and unambiguous. There must be an explicit, positive opt-in provided by your EU and U.K. recipients. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must be separate from other terms and conditions, and you will need to offer people the ability to withdraw consent. Do you ensure that you are not marketing to children (16 and under in most of the EU, 13 and under in the U.K.)? Or if you are, are you requiring parental consent? Do you have a means to effectively detect, investigate and report data breaches? In the event that user data is compromised, the Information Commissioner s Office (ICO) must be notified of that breach (including who was impacted) within 72 hours. Do you or your agents have someone qualified to be designated as a Data Protection Officer? In other words, who is responsible for keeping track and ensuring that data protections are in place?

4 What rights are EU and U.K. citizens granted in the GDPR? According to the official GDPR website (eugdpr.org), the following rights are granted: The right to be informed The right to restrict PROCESSING of their information The right of access to their information The right to data portability The right of rectification The right to object to their data being utilized The right to erasure of their information The right not to be subject to automated decision-making including profiling and do you have mechanisms in place to grant those rights? Example Scenarios Scenario 1 You 60,000 people twice a month with a list purchased from a third-party organization. Relevant Questions: Do I know who on this list is in the EU and/or U.K.? Let s say an EU resident complained; can I show documentation of how he/she ended up on this list? Can I show documentation outlining where he/she gave consent to be marketed to in this way? If your answer to the above is probably not, then it is pretty likely (in our opinion) that you would be open to be classified as a spammer by EU standards and potentially subject to hefty fines. Key Takeaway: It is a bad idea to use lists where the recipients are unknown to you, virtually impossible to locate geographically, and/or where consent most likely cannot be documented.

5 Example Scenarios Scenario 2 You collect addresses on your website, and use them for your marketing campaigns. Do all of the rules noted above apply to me? This one is actually a bit complicated, and we ll give you our understanding as a starting point - but you might want to consult with an attorney. Relevant Questions: Is the webpage where you collected their data meant to specifically target people in the EU and/or U.K.? In other words, did the user find your generic.com English site through Google, and submit their data on a generic form that would be equally valid for all countries? Any complaint from an EU or U.K. person that can be documented as coming from this page probably isn t covered by the GDPR. Did the Dutch user (as an example) go to my web form written in Dutch and submit their information there? Their information, rights and your responsibilities (again, in our opinion) are likely covered by the GDPR. Make sure you properly inform them about what you are going to do with their data, acquire consent, etc. Scenario 3 You are a hotel that has a third-party vendor that builds user data based upon past guest data from your property management system, web-forms on your site, etc. Relevant Questions: Was the customer appraised of how their data would be used at the time of check-in? In the likely event the answer to #1 is no, do you have the ability to acquire consent going forward by mailing and/or ing to them to get positive consent? In the event that the user wants their personal data removed/deleted and since the data comes from our property management/past guest system how does that work?

6 General GDPR Frequently Asked Questions* What is considered personal data under GDPR? Does it include publicly available information such as office addresses and work phone numbers? According to the language on the GDPR website (eugdpr.org), it s Any information related to a natural person or data subject, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an address, bank details, posts on social networking websites, medical information, or a computer IP address. Basically, GDPR considers any information that can be used to identify a specific person as personal data that must be protected, if that person is a EU or U.K. resident or citizen. Who has to comply with the regulation? Any organization that collects the personal data of any EU or U.K. resident or citizen must comply with GDPR, regardless of the organization s location. This means both data controllers - in this case, the organization that is in charge of why and how the data is collected and processed - and data processors, the third-party suppliers that process the data on your behalf. As long as there is an EU or U.K. citizen or resident that your organization markets to, you must comply with GDPR. Keep in mind it also applies when you have a U.S. citizen who is a current resident of the EU or U.K., so you can t just go by passport nationality. And if you are wondering if it applies to those conducting digital marketing campaigns that target EU/U.K. citizens or residents, the answer is yes, big time! Are there any sample GDPR consent forms we could use? No. You cannot just use a standard disclaimer as a blanket consent for all of your events, and the opt-in has to be active - no pre-checked opt-in boxes allowed. For each instance in which you collect data, you need to outline what data is being collected, how it s being collected, who will have access to it, and what specific purpose you and any others you share it with will be using it for. Whether your opt-in form is included in your registration online or on site, it has to comply with GDPR standards. According to the GDPR website, Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. If you collect data through events held at your venue or organization you also need to ask attendees for consent to include them on your attendee list, including on your event app, and don t forget to list the suppliers who are collecting and using the data on your behalf, and every manner in which they are using it all of that must be disclosed. And yes, this means you can t share mailing lists or labels with exhibitors or sponsors unless it is explicitly disclosed up front in your opt-in form (and attendees can opt out of sharing that information with any of the third parties named in the form). The consent form will also have to include how individuals can request that their data be deleted, and any consequences that may come from opting out, such as not being included on your hotel rooming list.

7 How do we handle getting retrospective consent from those who are already on our lists because they are past attendees or prospects? Do we need to request that they opt in, and if they don t respond, remove them from our list? Yes. Be sure the consent form you send them includes all the details about the data you are collecting, who you will share it with, etc. Your pre-gdpr consent and opt-in forms will not necessarily provide all of the information - including how to opt out - that the new regulatory standards require. One of the best practices for getting GDPR-ready is to conduct a data and processes audit so you can resolve any gaps you identify. How should you get started? We recommend having a conversation with your legal team to find out what the company already is doing for GDPR so you can figure out what you need to do to comply in your area of responsibility. We would also recommend discussing your current program processes and standards about personal data collection, retention, and deletion with your technology suppliers, destination management companies, meetings and event management suppliers, and any other partner supplier you rely on to manage your data. Having those conversations and planning support will give you a specific compliance roadmap. Who in my organization should be our dedicated GDPR point person? That will depend on your organization, but you should have someone who is committed to lead and learn about everything GDPR to safeguard your organization as well as your team. What is privacy by design? Privacy by design as a concept has existed for years, but it is only just now becoming part of a legal requirement with GDPR. Privacy by design calls for the inclusion of data protection from the onset of the system design, rather than an addition after the system is built. What should be your next steps? Discuss with your legal team Conduct a data audit Draft a clear consent form Collect retrospective and proactive consent Establish clear practices to remove requested data

8 Close Like many EU laws, the GDPR is long and complicated, and perfect compliance is likely pretty difficult. But there are many low hanging fruit issues that can be addressed to show good faith in the event that any complaint is actually filed. What that takes is a good understanding of how your data is accumulated and managed, then looking at those practices in the context of consent and accountability. As always, we re here to help! 999 Douglas Avenue, Suite 3301 Altamonte Springs, Florida info@78madison.com * Please note that the majority of the FAQ section came from the following source: meetingsnet.com, author Sue Pelletier, in a Q&A with Kevin Iwamoto, a senior consultant with GoldSpring Consulting 78Madison did alter some of the text to make it non-specific to meeting planners, and added the final next steps section.