GDPR Risks and Search Marketing and 7 Steps to Take Now

If you do business in the European Union, or want to, you need to be aware of GDPR potential impacts to your search and marketing plans. While GDPR extends beyond the marketing team, putting your head in the sand can have significant consequences. Step up, watch the risks, and move to minimize them now, you will look smart later.

“The sleeper issue of 2018 will not be compliance but how consumer advocate groups use GDPR to prosecute their agendas by using the regulation’s ‘right to be forgotten’ clause — exhausting companies’ resources and damaging their brands.”  – Forrester¹

The General Data Protection Regulation (GDPR) is a new European Union (EU) privacy regulation that goes into effect on May 25, 2018. GDPR is not about making a couple of changes to privacy notices. This new rule hands privacy control (and access) back to the individual and standardizes privacy requirements across the EU. GDPR can impact your entire business and needs to be a top led, customer first, ongoing part of business and marketing processes. Take it seriously.

The Impacts

You will want to know how this impacts your marketing actions. Here are several critical points to be aware of:

Provision	Description and requirements
Breach Notification	You must notify EU supervisors of the data breach within 72 hours of first becoming aware of the breach. You must notify your customers within 72 hours if the breach exposes information that may impact them.
Right to Access	If an EU resident wants to know what personal data you have and/or what you are doing with that data, you must provide them the information and details about their data in a consumable way.
Rectification	If the EU resident thinks your data for them is incorrect or incomplete, they can give you their changes and you must update their information in your systems in a timely manner.
Right to be Forgotten (Data Erasure)	Residents have the right to have you delete their personal data and stop further use or sharing of their data when it is no longer relevant to the original purposes for which it was collected, or when consent to use the data is withdrawn.
Data Portability	Residents have the right to receive the personal data provided to you and also transmit that data to another vendor.
Privacy by Design	Data protection needs to be a design principle of information management systems and processes, rather than an afterthought. System privacy settings are to be strong by default. Only store and process the data necessary for the completion of designated tasks. Processors must limit data access to required personnel.

Applicability to Search Marketers

Personally Identifiable Information (PII) is given a broad definition in GDPR. As search marketers, our tactics often use PII in ways we don’t think are bad, but may cross the GDPR boundaries. Here are some common tactics that may cross those boundaries and require your evaluation of the risks you (and your company) are willing to assume.

Targeting IP addresses Keeping IP addresses (or other PII) Using “Like customers” on Facebook Retargeting Collecting cookies

Building lists without opt-in Having legalese in your privacy policy Buying/partnering for contact lists Not managing PII and data access

The premise behind most of these potential “issues” is that to hold or use EU residents’ PII or other data, whether they are in the EU, US, or anywhere, requires the person’s consent that they know how you will use the data, and how long you will use it. Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action. Opt-ins for consent must be understandable for the people consuming them, distinct for each type of action (email campaign opt-in distinct from web tracking), and not pre-checked. If you don’t have this permission, you probably are in violation.

7 Steps to Take Now to Look Less Like a Target

Doing nothing is always an option. I don’t recommend doing nothing, and I have a note on those risks further down. Here are some steps you can take to reduce some of your risks.

• Update your privacy, retention, and cookie policies – you need to meet the GDPR standards (discoverable, easy to understand, easy to take action)
• Find your data – if you don’t know where it is or who has a copy, it probably isn’t secure
• Understand what you do with your data – If you don’t know what happens to your data in the rest of company, can it be secure
• Build breach, erasure, & rectification plans – respond on time to customer requests or face the fines
• Review IT and data contracts – if your vendors aren’t GDPR compliant, you aren’t either
• Document everything – you have the burden to demonstrate intent and prove your compliance
• Make sure your CEO knows the risks – GDPR affect the entire company, not just marketing

Compliance Tips and Tricks

Enable web campaign contacts and requests

• If you collect cookies, let your EU customers know and have an acceptable opt-in solution. You can check out most large company (news sources and consumer goods) websites for examples.
• Enable opt-outs and requests for information in a like manner that you reached the person. If you are emailing, provide a link to opt-out and to your privacy policy at the bottom of the email.
• Free means no strings attached. If you want an email address in exchange for a whitepaper, don’t call it a “free whitepaper”, just offer a whitepaper without calling it free.
• Allow people to contact you via your website for opt-out or information request. Few will do it, so don’t make it impossible.

Document your work

This is really important. Intent and proof are the words of the day. When something happens, you are responsible for proving that you did your best and deserve leniency. These are not US rules, you are guilty until you prove you are innocent.  Document all your meetings, tech builds, and marketing actions.

Ignore at Your Own Peril

GDPR comes with stiff fines, up to €20 million, plus jail options for troublemakers in some countries. The enforcement agencies will be looking into all complaints, and those agencies may be funded by the fines they generate.

Doing Nothing

If no one complains, your competition doesn’t want to distract you, and your bank or board don’t inquire, you might be free forever. I don’t recommend making that bet.

EU contacts

Any contact from an EU agency will come from Data Protection Authorities on this list. http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm

Official requests from gmail or .rus are spam.

What’s Next

You can’t ignore the new privacy rules forever. Canada has some big fines on the books already, and Australia and others are modeling new laws on GDPR. Think of your work as an investment.

This is a surface level view of the GDPR regulation. If you want to learn more, let us know the specific topics important to you, and we will try to make that information available. If you want to reach me to talk about your options and how GDPR applies to your specific scenario, you can email me at jon.trohimovich(at)gmail.com

This short post covers several critical points you need to be aware of to look less like a target. GDPR is broad in scope and compliance will vary greatly between organizations. This post is provided for informational purposes. It should not be relied upon for legal advice. You should work with a competent advisor to confirm you have minimized your risks.

1. “Predictions 2018—A Year of Reckoning,” Forrester