What GDPR Means for U.S. Brands

Share this content:

If you work with data, or if data is important to your brand, you've no doubt heard about GDPR. We hope so, anyway. The General Data Protection Regulation (full text here) is a piece of legislation which will come into force across the European Union on May 25, 2018. But you shouldn't turn your head the other way even if you're an American company. GDPR will affect your brand if your marketing and eCommerce operations reach a European audience.

For companies who operate in European markets or who have actual or potential customers within those countries — even if your physical operations take place in the United States — strict compliance with GDPR is mandatory, and the penalty for failing to comply is a fine. A major fine. We're talking about a 4% of your global annual revenue (or up to €20 million) kind of fine.

In short, if you process data about individuals in the context of selling goods or services to European citizens in any EU country, then you will need to comply with GDPR.

But what exactly does GDPR require, and how must you comply?

At the bare minimum, the GDPR was drafted with the intended purposes of protecting all non-anonymized personal data (or personally identifiable information: PII). And any company (or organization) that stores or processes personal information about “natural persons” (individual human beings) who are “data subjects” under the Regulation — defined as European citizens who reside in an EU state — must comply.

The basics of GDPR

In its long and detailed text, the GDPR defines what types of personal data are at stake here:

  • Name, address, and phone number
  • IP address and cookies
  • Racial identity
  • Religious and religious affiliation
  • Health and genetic data
  • Biometric data
  • Sexual orientation and gender preference

Digital marketers: Notice the first two entries on that list, and then consider the following.

Storing or processing of personal data can be undertaken only if:
  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract
  • Processing is necessary for compliance with a legal obligation to which the controller is subject
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

That's a lot of legalese, I know. So to put it in layman's terms: You can't just go ahead and profit from personal data any more, if the data relates to European data subjects. Maybe we should just quote paragraph 70 of the preamble to underline that point — emphasis added:

“Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.”

And to make matters even more difficult for multinational companies, there is also a “right to be forgotten." More about that below.

Of course, on the one hand, this imperative to protect personally identifiable information about European subjects threatens business strategies, practices, and processes worldwide, especially cloud, SaaS, and mobile-driven enterprises. In order to cope with the GDPR, brands with international operations have been developing alternative and compliant data-storage centers within the EU. According to a report released by PwC, 64% of executives at U.S. corporations reported that “their top strategy for reducing GDPR exposure is centralization of data centers in Europe. Just over half (54%) said they plan to de-identify [i.e. anonymize] European personal data to reduce exposure.”

“The threats of high fines and impactful injunctions, however, clearly have many others reconsidering the importance of the European market,” the study says. In fact, 32% of respondents plan to reduce their presence in Europe, while 26% intend to exit the EU market altogether.

That's a high percentage of lost business, but if you're a company who wants to navigate the terrain and remain in the EU, here are a few things you need to think about.

Page 1 of 2

Next Article in Marketing Strategy

Sign up to our newsletters

Company of the Week

PAN Communications is an award-winning integrated marketing and public relations agency for B2B technology and healthcare brands. PAN's data-driven approach allows the firm to specialize in public relations, social media, content and influencer marketing, and data and analytics. PAN partners with brands to create unique, integrated campaigns that captivate audiences.

Find out more here »

Career Center

Check out hundreds of exciting professional opportunities available on DMN's Career Center.  
Explore careers in digital marketing, sales, eCommerce, marketing communications, IT, data strategies, and much more. And don't forget to update your resume so employers can contact you privately about job opportunities.

>>Click Here

Relive the 2017 Marketing Hall of Femme

Click the image above