Blog

If you’ve been checking your email in the last two weeks or so, you’ve likely gotten a notification from one or more third-party vendors notifying you of privacy policy updates thanks to GDPR. In case you haven’t seen these emails, they go a little something like this,

On Friday, May 25th, the General Data Protection Regulation (GDPR) takes effect in the European Union. In preparation for GDPR, we’ve made some updates to our privacy policy, provided more in-depth information about how we utilize cookies to collect data, implemented options to subscribe or unsubscribe from newsletters…etc.

You might be wondering, If this happened in the European Union, then why do I care? I only do business in the U.S. We’re glad you asked. While any EU-based company or multinational organization is (hopefully) well aware of the changes they needed to make to be GDPR compliant, the effects of this new piece of legislation will be felt far and wide, including by U.S.-based companies who do no direct business with any of the 28 member states of the EU. Basically, if you have an online presence (a website, social profiles, etc.) and market your products or services over the internet, then you need to make sure you’re aware of GDPR guidelines in order to ensure your site is compliant, if applicable.

But what is GDPR, exactly? According to the EU GDPR Information Portal, GDPR (again, the General Data Protection Regulation) “was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” (Source) While many in the U.S. have only been hearing about GDPR since January of this year, the new legislation was actually adopted in 2016 as part of the EU’s effort to better protect its citizens’ data.

In its entirety, the GDPR legislation encompasses quite a few changes, but some of the key updates include clearly stating data collection policies on your web page, obtaining explicit consent to collect personally identifiable information (PII), notifying consumers immediately in the event of a data hack or breach, and appointing data protection officers, among other things. And, of course, GDPR holds the promise of hefty fines and messy legal ramifications should a site be found out of compliance.

A map showing the countries that make up the European Union

GDPR FAQs

So, how do you know if your site needs to be GDPR compliant? If GDPR regulations do apply to your business, how do you go about making your site compliant? And what are the major changes you need to focus on? Check out our GDPR reference questions, below, to help you navigate the new world of data regulation.

What is GDPR?

As stated previously, GDPR is a piece of legislation passed to establish and enforce regulations regarding the collecting and processing of EU citizens’ personal data, and the protection of that information. Not only does it outline concrete guidelines for the handling of users’ personal information, it also threatens the imposition of revenue-based fines should these guidelines not be followed.

Who is affected by GDPR?

Obviously, any EU-based company, or any company that directly does business with any member state of the EU, is absolutely expected to be GDPR compliant. It also applies to any company that offers products and/or services to, or collects data from, any EU residents.

The obvious example here would be if your business sold a product to someone within the EU. But GDPR is much, much broader than that. Consider a couple of different scenarios. Do you have forms on your website? Is there a possibility that an EU resident could fill out that form? Or perhaps you use cookies, pixels, or tags to collect consumer data for audience profile analysis to optimize digital marketing campaigns, or to re-market to consumers who visit your site. Is there any chance an EU citizen could fill out one of these forms, or have their information gathered on your site? If you nodded your head at any of these instances, then GDPR applies to you.

What is considered personal data?

Personally identifiable information, or PII, is exactly what it sounds like – it’s any piece of data that could potentially identify a specific individual. Sure, first names, last names, social security numbers, phone numbers, and email addresses undeniably qualify as PII. But so does age, gender, marital status, race, salary, date of birth, and mother’s maiden name. Any demographic or medical information that could potentially distinguish a consumer on an individual level is considered PII.

An illustration depicting web data security

What is GDPR’s territorial scope?

We’ve already mentioned that if you collect personal or behavioral data from a person within the EU, your company is susceptible to the scope of GDPR. But there are a couple of distinctions that should be pointed out.

First, GDPR regulations only apply to EU citizens who are in the EU at the time of data collection. For EU citizens who were outside of the EU at the time of data collection (say, vacationing in the U.S.), GDPR laws do not apply.

Second, a financial transaction doesn’t have to happen in order for GDPR regulations to apply. Once again, if your organization collects any PII from those residing within the EU, GDPR applies to you, regardless of whether or not that person made a purchase on your site.

What kind of consent notice do I need to include on my site?

GDPR kicks the bar up several notches when it comes to consent from consumers to utilize their information for marketing purposes. According to the GDPR information portal, “companies will no longer be able to use illegible terms and conditions full of legalese…Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language…”

Basically, you can no longer bury consent notices within pages-long privacy policies or include it in a tiny, nearly illegible disclaimer at the bottom of a page. Consent statements need to be in layman’s terms and are required to be clearly displayed with any form on your website.

Another thing to note here is that soft email opt-ins (where consumers are automatically opted into additional marketing simply for making a one-time purchase or download) are not sufficient for consent under GDPR’s guidelines. Also, pre-checked consent boxes are no longer allowed under GDPR.

A consent statement can be a simple, one-line statement included at the bottom of a form, such as, “I would like to subscribe to [company name] emails and promotions to receive the latest news.” However, this statement must accompany a checkbox that consumers can choose to click – it cannot simply be a, “By filling out this form, you agree to…” statement. And remember, clear, concise language is the goal here.

A closeup of a person's hands holding a smartphone

What penalties do I face if my site isn’t GDPR compliant?

GDPR is not messing around when it comes to compliance. Organizations found in breach of GDPR can face fines of up to 4% of annual global revenue, or €20 million, whichever is the greater amount. (FYI – that’s roughly $23.2 million, in case you don’t know the currency exchange rate.) This is the maximum fine for serious compliance issues. Companies may face smaller fines for lesser infractions, but those fines still pack a punch. You could face fines up to 2% of your annual global revenue for more minor compliance issues.

Can I continue to utilize targeted digital marketing?

Absolutely. While this does significantly impact how consumer data is collected, stored, and utilized, it certainly won’t kill your digital marketing efforts. The current trend is for companies to collect as much data as possible from consumers in order to understand more about their audience. With GDPR in full force, it’s likely that many companies will shift their priorities to collecting the bare minimum of information needed to complete a transaction or form. The good news here is that data can still be collected and utilized for marketing purposes; it just has to go through proper anonymizing processes before it can be utilized. Another important note – you cannot target consumers based on race, religion, or in any other way that may prove to be discriminatory.

It’s also important to understand what GDPR means for targeted marketing versus generic marketing. If a consumer in Denmark performs a Google search and happens upon a website that is written in English and clearly intended for U.S. consumers, then the company this site belongs to wouldn’t fall victim to GDPR compliance. Conversely, if a company is doing any sort of targeted marketing and/or implements localized web content in any EU territory, they are absolutely subject to the guidelines under GDPR.

With the right marketing partner, muddling through the effects of GDPR should be a breeze, and you shouldn’t see much of a hiccup in your digital marketing efforts. The marketing experts at iFocus are well-versed with GDPR and its potential ramifications. By working with us, you’re getting peace of mind knowing that we’re handling all of this for you, and that any third-party vendors we may utilize have been screened for GDPR compliance. If you aren’t working with us yet, and you’re not sure if you need to adhere to GDPR guidelines (or you know you need to but don’t know where to start), reach out to our team. We’d be happy to navigate these international waters with you.