AccuList USA supplies data and direct marketing services to organizations with international as well as domestic reach. Starting this May, any U.S. marketer targeting actual or potential customers in the European Union (EU) countries must navigate a changed data landscape thanks to the new General Data Protection Regulation (GDPR). It doesn’t matter if the brand, marketer or data processor is based in the U.S.; strict compliance is mandatory. And shrugging off new data rules is a very costly mistake. Noncompliance can mean a fine equal to 4% of global annual revenue!
GDPR Seeks to Protect Personal Data
The intended purpose of the regulation is protection of non-anonymized personal data, and compliance is required of any company (or organization) that stores or processes that personal information about individuals (“data subjects”), who are defined as European citizens residing in an EU state. The protected personal data includes:
- Name, address, and phone number
- IP address and cookies
- Racial identity
- Religion and religious affiliation
- Health and genetic data
- Biometric data
- Sexual orientation and gender preference
Individuals Have New Data Rights
GDPR’s regulated “data controllers,” who determine data processing, or “data processors,” who handle data on behalf of data controllers, must respect key rights with regard to personal information. For example, there is an individual’s right to access, to knowing what personal data has been collected and how that data has been processed. There is a right to accuracy, and restriction of data processing in the case of inaccuracy. There is a right to “freely given” and “explicit” consent for processing and storage of personal data. Plus, consent may not be regarded as “freely given” where performance of a contract is made conditional on consent, or is unnecessary to performance of a contract. The data subject also has the right to data portability, meaning the ability to request and receive personal data in a format easily transferred to another data controller. Finally, there is erasure or “a right to be forgotten,” which allows individuals to withdraw their consent for data use or storage and demand that personal data be erased and no longer processed. Not sure it applies to you, direct marketer? Consider this GDPR wording: “Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.”
How Are U.S. Brands Handling GDPR?
Obviously, GDPR has big impacts on business strategies in the European market. For one thing, if you are handling personal data on a large scale or processing particularly sensitive data (such as health, race and religion), GDPR may require you to designate a specialized Data Protection Officer (DPO) to report to senior management. In terms of strategic response to the regulation, 64% of executives at U.S. corporations reported that their top strategy for reducing GDPR exposure is centralization of data centers in Europe, according to a report released by PricewaterhouseCoopers (PwC). Just over half (54%) told PwC they plan to anonymize European personal data to reduce exposure. A significant minority are even cutting European market efforts, with 32% of respondents planning to reduce their presence in Europe, and 26% intending to completely exit the EU market.
For a definitive guide to GDPR and explanations of key terms, see this Direct Marketing News article.