[Note: As of May 25, 2018, the GDPR is enforceable. This article was written one month before the GDPR went into effect.]

Table of Contents

1. What is the GDPR?
2. Why should I care about the GDPR?
3. What is the GDPR asking me to do?
4. How long do I have?
5. What happens if I don’t make any changes?
6. Wait, why are you telling me this?
7. Where can I get more information about the GDPR?

What is the GDPR?

It’s the talk of the town. GDPR is on the lips of business decision-makers everywhere. But what is the GDPR, exactly?

GDPR stands for General Data Protection Regulation. It’s essentially a set of regulations intended to give people in the European Union (EU) more control over how their personal information is used by organizations. The GDPR was formally adopted in April 2016, and goes into effect May 25. As in, next month.

Why should I care about the GDPR?

It’s a troubling statistic. More than half of US-based employees haven’t even heard of the GDPR. If you’re not a decision-maker, chances are it hasn’t piqued your interest. But look at you — you’re now on the other side of that statistic. Congrats! Why should you worry about the GDPR, though?

More than likely, it applies to your business. The two main questions to ask yourself are:

1. Does my organization operate in the EU?
2. Does my organization process personal data coming from people in the EU?

If you said “yes” to the first question, the GDPR applies to you. Even if you said “no,” chances are likely that it still applies to you. Additionally, if your organization handles or processes personal information (this is from question 2), you need to educate yourself on the GDPR.

Do any of your employees, clients, or partners live in the EU? Even if the answer is “no,” you may still be on the hook. The majority of our clients are US-based, so we’ll use our country as an example. If, like most US businesses, your organization has a web presence (be it marketing* or sales) — or even if you run a location-independent survey that’s accessible to people in the EU — you may be subject to GDPR compliance.

*General global marketing doesn’t necessarily apply. For example, let’s say you’re a Boston-based software company running a paid Facebook campaign (marketing, say, an eBook) and a woman in northern Italy clicks on your advertisement and downloads your asset. The GDPR likely won’t apply to you. BUT it absolutely would apply if that eBook was titled How Our Software Helps Italian Companies and you have a dedicated landing page (with a .it domain suffix) for EU residents, and you accept euros and your advertisement is written in Italian or German or …

Simply put, if you’re targeting data subjects in an EU country, if you’re monitoring behavior of EU residents, or if you’re regularly doing business within the EU, you’re obligated to be GDPR compliant. If you’re unsure, consult your legal team.

We’ll use ourselves as an example. DemandZEN is a digital marketing and demand generation agency. Many of our clients are US-based and only sell to US-based companies. For those clients, we don’t actively market to companies in Europe. Our advertising campaigns are written in English and we always set our target audience to the US. If a businessman in Germany found our landing page for an eBook, submitted his personal information, and we sent him an email containing the eBook, he’s not protected by the GDPR and we’re not “on the hook” if we fail to abide by the GDPR’s rules.

Could your marketing efforts appear to target certain countries? The industries that will have to pay particularly close attention to their marketing practices are:

• Software
• eCommerce
• Travel
• Logistics
• Hospitality

This is not an exhaustive list. Remember — when in doubt, seek legal counsel. (Especially if you have a strong internet presence).

TL;DR: Chances are, the GDPR more than likely affects you. Directly.

What is the GDPR asking me to do?

The abridged version? The GDPR wants you to tighten your data security. You’re now required by law to protect any individual within the EU (regardless of their citizenship status, remember), but the gist is that you need to make sure their personal information is safe.

You’ll be expected to:

1. Know what data you have, and why you have it
2. Manage data in a structured way
3. Know who’s responsible for data management
4. Secure data you wouldn’t want to be disclosed (via encryption or pseudonymization)
5. Foster a culture of security awareness within your organization
6. Be prepared in case of a data breach

These are pretty straightforward, for the most part. You should start by 1) figuring out what kind of information you receive from individuals. Do you send out surveys that capture personal information? Forms? Self-service purchasing? And be careful here — personal data doesn’t just mean sensitive information — it signifies any data that can, directly or indirectly, identify an individual.

According to the law, this includes identifiers such as:

• Names
• Identification numbers (passport number, driver’s license, etc.)
• Location data
• Online identifiers (IP addresses, cookies, etc.)
• Physical, physiological, or genetic characteristics (weight, allergies, medical conditions, etc.)
• Mental status
• Socioeconomic data
• Cultural identities (even dietary preferences count here!)

Note: the GDPR makes no distinction between data from private, public, or work roles.

Manage your data in a structured way. Organize everything so that if an individual requests their information be deleted, you can find it and erase all traces of it. Create a system and know who’s in charge of what. Beef up your company’s privacy policy. If you receive a data request under the GDPR, you can’t let it slip through the cracks. Establish a point person (some companies will even be required to appoint a data protection officer). Make sure also to encrypt your data so that in the (increasingly likely) event of a data breach, no real information is exposed. The GDPR promises to be lenient (aka impose no fine) if a breach involves encrypted data. Foster a security-aware culture within your company.

How long do I have?

Until May 25, 2018. (No excuses, either, since the GDPR was formally adopted over two years ago).

What happens if I don’t make any changes?

That’s fine. And by “fine,” we mean an actual fine. You could be on the hook for 20 million euros (roughly 25 million USD) minimum. If you’re a larger organization, you face fines up to 4 percent of your global annual revenue. For Amazon, that would amount to a $7 billion fine. Yes, billion with a b. This regulation is no joke, and since it was adopted back in 2016, you can’t use the “I haven’t had time” excuse.

That being said, nobody knows exactly how strictly the GDPR will be enforced. Will authorities move swiftly to make examples of larger companies? Will they be forgiving in the first few months? Who knows?

For more information regarding GDPR fines and penalties, we suggest you read this article.

As for who will be doing the enforcing, the EU’s Office of the Data Protection Commissioner (ODPC) is charged with the task. The ODPC oversees appointed Supervisory Authorities (SAs) from each EU member state. They have a number of investigative and corrective powers at their disposal. Here’s some of what SAs will be doing:

• Conducting audits
• Reviewing certifications
• Issuing warnings if it looks like a GDPR violation might occur
• Ordering companies to comply with the GDPR
• Limiting or banning certain data processing
• Imposing administrative fines
• Suspending non-compliant data flows

Wait, why are you telling me this?

This affects us and our clients, so we’ve had to educate ourselves over the past few months. We’re a demand generation agency that works with clients all over the world (including the EU), that are primarily in the tech industry. We’re just sharing what we’ve learned — and hope this finds you before May 25th! We don’t claim to be GDPR experts, and we don’t sell special software that can simplify your GDPR compliance. Our expertise is in digital marketing and sales enablement (think cold-calling and lead optimizing).

Where can I get more information about the GDPR?

If you’re a visual learner, here’s a neat GDPR infographic you should check out. If you’re more into blogs (you seem like you’re into blogs), here’s a great series on the subject. Looking for something more advanced? IBM built a site devoted to the GDPR and has conveniently separated information according to the stage of your journey to GDPR compliance in which you find yourself. There’s even framework and GDPR readiness assessments. Or, you can read the full GDPR text — all 261 pages of it. Luckily, it’s broken out into quick links, digestible chapters, plenty of articles and recitals, and a handy search feature.

Motivated to clean your database of leads? Want to reexamine your marketing practices in the face of GDPR?

Check us out!

Remember: less than half of all US-based employees have heard about the GDPR. Share this article with your coworkers!