The European Union General Data Protection Regulation (GDPR) takes effect in May 2018 and Gartner believes that less than 50% of all organizations impacted will fully comply by that date. Companies found in violation of the GDPR can be fined up to 4% of their global annual revenue or 20 million Euros, whichever is higher. The media coverage following such a finding could cause substantial damage to a brand.
While there are fines and reputational risks at stake, global enterprises are likely to find it more economical to broadly implement a common set of operational best practices rather than try to manage a collection of local compliance measures that are constantly changing and may lack adequate safeguards. Incorporate the highest standards of data protection globally to save money and reduce compliance risk.
Incorporate the highest standards of data protection globally to save money and reduce compliance risk.
To prioritize risk mitigation actions and develop best practices for EU and global operations, marketers need to understand GDPR basics.
What is the GDPR?
The GDPR is a legal act designed “to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” In general, the GDPR brings a framework of best practices that, if adhered to, aid in compliance under multiple non-EU jurisdictions as well. Compliance will demand behavior and culture changes in the marketing team. Compliance will also mean navigating a tricky balance of rights, risks and interests as each organization needs to form its own guidelines for interpretation that balance risk with business value.
Does the GDPR apply to you?
- If your organization has an establishment in the European Union, the GDPR applies to your firm
- If your organization offers services or goods to residents of the EU, the GDPR applies to your firm
- If your organization monitors an individual’s behavior in the EU, the GDPR applies to your firm
Even if you determine your organization doesn’t need to adhere to the GDPR, assessing its impact on your data processing practices is a best practice for all marketers concerned with privacy and its effects on brand perception.
Who is responsible for compliance?
Business (process) owners are responsible for compliance and since marketing is regarded as a set of business processes that roll up to a CMO or equivalent leader, the marketing leader is ultimately responsible for marketing’s compliance with the GDPR.
Part of the marketing leader’s responsibilities will be to periodically conduct privacy impact and risk assessments. Emphasize to staff their accountability for adherence to privacy requirements and ensure training is suitable and advice is available (in cooperation with your legal and HR counterparts).
“Prepare your organization for sustainable compliance by constructing a plan detailing all marketing activities that may be affected by the new regulations and analyze remediation options,” says Frank.