What GDPR Means for U.S. Brands
If you work with data, or if data is important to your brand, you've no doubt heard about GDPR. We hope so, anyway. The General Data Protection Regulation (full text here) is a piece of legislation which will come into force across the European Union on May 25, 2018. But you shouldn't turn your head the other way even if you're an American company. GDPR will affect your brand if your marketing and eCommerce operations reach a European audience.
For companies who operate in European markets or who have actual or potential customers within those countries — even if your physical operations take place in the United States — strict compliance with GDPR is mandatory, and the penalty for failing to comply is a fine. A major fine. We're talking about a 4% of your global annual revenue (or up to €20 million) kind of fine.
In short, if you process data about individuals in the context of selling goods or services to European citizens in any EU country, then you will need to comply with GDPR.
But what exactly does GDPR require, and how must you comply?
At the bare minimum, the GDPR was drafted with the intended purposes of protecting all non-anonymized personal data (or personally identifiable information: PII). And any company (or organization) that stores or processes personal information about “natural persons” (individual human beings) who are “data subjects” under the Regulation — defined as European citizens who reside in an EU state — must comply.
The basics of GDPR
In its long and detailed text, the GDPR defines what types of personal data are at stake here:
- Name, address, and phone number
- IP address and cookies
- Racial identity
- Religious and religious affiliation
- Health and genetic data
- Biometric data
- Sexual orientation and gender preference
Digital marketers: Notice the first two entries on that list, and then consider the following.
Storing or processing of personal data can be undertaken only if:
That's a lot of legalese, I know. So to put it in layman's terms: You can't just go ahead and profit from personal data any more, if the data relates to European data subjects. Maybe we should just quote paragraph 70 of the preamble to underline that point — emphasis added:
“Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.”
And to make matters even more difficult for multinational companies, there is also a “right to be forgotten." More about that below.
Of course, on the one hand, this imperative to protect personally identifiable information about European subjects threatens business strategies, practices, and processes worldwide, especially cloud, SaaS, and mobile-driven enterprises. In order to cope with the GDPR, brands with international operations have been developing alternative and compliant data-storage centers within the EU. According to a report released by PwC, 64% of executives at U.S. corporations reported that “their top strategy for reducing GDPR exposure is centralization of data centers in Europe. Just over half (54%) said they plan to de-identify [i.e. anonymize] European personal data to reduce exposure.”
“The threats of high fines and impactful injunctions, however, clearly have many others reconsidering the importance of the European market,” the study says. In fact, 32% of respondents plan to reduce their presence in Europe, while 26% intend to exit the EU market altogether.
That's a high percentage of lost business, but if you're a company who wants to navigate the terrain and remain in the EU, here are a few things you need to think about.