By now, many of you will have heard about GDPR, or General Data Protection Regulation, which went into effect May 25.
In today’s global economy and mass digitization, it’s challenging to think of a business not impacted by GDPR, and digital advertising is no different. Read on to learn more about what it is, and how it may affect your advertising strategy.
What the heck is GDPR?
GDPR is all about personal data privacy and security, which is an increasingly hot topic in an age where we read about major breaches and misuse of data. You don’t have to be a data scientist or chief security officer, for example, to have heard about Facebook’s data misuse or the massive data breach by credit reporting agency Experian.
The General Data Protection Regulation originated in the EU, but because we’re such a global, digital world, well, its adoption has a ripple effect on businesses and consumers around the world.
It states that a person’s “personal data” can only be used with their consent, and that people have the “right to be forgotten” as well as a right to “data portability”.
Big technology companies, as well as smaller startups, will have to give users more control over their data. Plus, along with GDPR come a slew of technical requirements with how data is managed and stored.
User’s Personal Data
Most of us can inherently grasp what personal data is to us. We don’t want our bank account details shared widely across the internet. Nor do we want everyone to know our health history, private phone numbers, credit history and well, you get the picture.
In short, if you have data that can identify who you are, that’s personal data.
For marketers, the big deal here is consent. GDPR requires that consent must be gathered before this data is used.
Think about your approach to standards, such as cookies, gathering device IDs, location information, and so on. If you’re using these bits of information to specifically identify people, they are now considered to be part of someone’s “personal data”. (Read Recital 30 of the GDPR for the legal language).
There are also additional rules for children under 16, and specifics regarding proof of consent, how it’s used and so on. Want to see it for yourself?
- Recital 32: Learn more about the conditions required for consent.
- Recital 33: How consent may affect scientific research.
- Recital 38: What GDPR means for children.
- Recital 43: How consent must be proven by websites.
Right to be forgotten and a right of data portability
The right to be forgotten is just that –
The GDPR states that consumers should be able to erase their personal data from companies. It shouldn’t just live on forever; consumers have a right to that information, including taking it away. (See Recitals 65 and 66 to learn more).
This doesn’t just affect consumers; it also affects in-house processes and operations. In short, marketers need to be able to easily erase data should consumers state the need for it.
And, as for the right of data portability, that means that consumers have a right to obtain their personal data. It can’t be in a wonky encrypted file or a rare format; it must be easy for consumers to view. Consumers also have a right to then share that data with another controller, or company.
What this means for Digital Marketers
Digital marketers can’t hide from the GDPR.
For many marketers, the first battle is to get consumers to “get it”. They need to understand that data sharing isn’t all ugly; that there may be some important benefits for them. (Remember, we’ve been here before, when we chatted to consumers about ad blocking and why they should continue to let us in).
This is where data protection, data leakage and having resources in general around data can give companies a leg up. If consumers are going to share their data with you, they want to know it’s in good hands.
A few key things to know:
- Even Google can’t hide. Consider services like AdSense. Google is no longer basing this on personally identifiable data. And, it’s all because of consent – Google needs to make sure that everyone playing in this field has gathered consent.
- Third-party trackers probably don’t fly. Publishers need to consider that third-party tracker usage needs to comply. Transparency is critical. If you store data, then you need to ask for consent.
- Full interaction users. These users have opted into the full extent of your site – all your services, your entire site, you name it. This may be the sweet spot for marketers, since consent has been gathered and you have a much larger playing field to work with.
- Organizations can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). If you are in breach of GDPR, there may be a hefty fine to pay.
The Big Picture
Now is a time for marketers around the globe to think bigger and to get organized—and to put the consumer first.
At MatchCraft, we are working hard to ensure that we keep all personal data secure and retain information only when there is a legitimate business need. We’re also consistently on top of supporting data portability.
Communicating openly about these issues will surely help you gain a competitive advantage. And remember, a silver lining to the GDPR is data quality: marketers are going to be dealing with data from consumers who want to be spoken to! That’s never a bad thing.