Article Image - GDPR: 5 Questions U.S. Companies Should Consider

GDPR: 5 Questions U.S. Companies Should Consider

By: Hoffman York
May 2019
5 min

In Europe, companies have been working late nights and early mornings to ensure they comply with the General Data Protection Regulation (GDPR) which has now taken effect. In the meantime, U.S. companies continue to believe they are unaffected. For some, the circumvention is warranted while, for many, ignorance may not be bliss. The GDPR will likely still impact U.S. companies.

GDPR is a new standard in the European Union (EU) which will give consumers more control and transparency of their own personal data online. If your U.S. company controls, processes or stores any data belonging to an EU citizen, it must comply with these new regulations or run a risk of hefty fines; fines that can cost companies €20 million (nearly 24 million USD) or 4 percent of annual worldwide turnover, whichever is greater. To ensure you’re protected, check out these 5 questions your company needs to ask when navigating the new GDPR world.

A quick dig into your company’s Google Analytics can show that while you might be a predominantly North American brand, you may have also users in Europe. Unfortunately for all brands, domestic or international, existing data will not be grandfathered in. This means a brand that possesses data of any EU citizen must reverify with the user indicating how the data is being used and how long they will hold said data. Failure to do so can lead a business to incur large fines. Some 77 percent of U.S. companies will spend $1 million or more to ensure compliance with these new regulations. Of these, 9 percent plan to spend over $10 million on their GDPR compliance. For companies who deal with large amounts of EU citizen data, it may be in your best interest to hire a Data Protection Officer (DPO). If this isn’t financially feasible, consider appointing and training an existing employee on the necessary internal compliance measures.

When storing data of an EU citizen, regardless of where your business calls home, build a digital fortress to make sure this information stays protected. In previous breaches, like Equifax, consumers have blamed the hacker. But who is really at fault? Is it the brand that created a website that was hackable or the hacker themselves? Under the GDPR, the accountability will fall on the brand, not the hacker. Consumer data can be defined as anything related to a user that can be directly or indirectly used to identify them. Keep careful records on how, when and for how long you have received consent from each user in case of an audit. Store this data in a cloud server, not a local file. If a brand is storing personal data, it is best to install pseudonymization (yes, that’s a real word) which replaces information with artificial indicators or pseudonyms. If there is a breach, the company’s DPO must report it to any person they store data on within 72 hours or face fines. To put these fines into perspective, had the Equifax breach occurred post-GDPR, the company would have owed $68.5 million based on 2017 revenue.

Marketers in the U.S. will be happy to know that both brands and users will be covered by the terms and conditions of social channels like Facebook. There is no need to seek out consent with each of your followers for day-to-day social media marketing. If a social media user deletes an account, under the GDPR, this will remove all data associated with the account. When using paid advertising on social media, you are able to target individuals through things like job title, location, etc. You don’t see who these people are, but the social channel does as the processor. What could land your brand in hot water is removing data from a social media channel and using it elsewhere. For example, exporting email addresses from Facebook and sending unsolicited E-newsletters. 

Many U.S. companies have chosen to bury the extent of their consumer data usage in long, boring, confusing terms and conditions filled with legal jargon. Under the GDPR, U.S. companies that interact with EU consumers will need to include conditions that are clearly distinguishable from other materials. Pre-checked “I agree” boxes are no longer acceptable and the explanation of how data is used and for how long must be stated clearly. This will hopefully reduce the amount of data brands request and limit it to only the necessities. At any time under the GDPR, an EU citizen may reach out to a company and inquire about what data this company holds on them. This is called a subject access request. Previously, it could cost consumers around $14. Now, companies must provide this information within one month of the request and at no cost. Luckily, some companies have already started this.  

In the past few months, you may have noticed the dozens of emails containing updates to the terms and conditions of brands you might not even remember interacting with in the first place. Why the sudden interest? Well, it wasn’t necessarily by choice. GDPR will likely reduce the number of EU recipients for E-newsletters and campaigns. However, the users who do opt to stay on these lists will obviously be interested in your brand. To keep these people opting in, produce content that is interesting and new to your brand’s audience. Forget brand awareness, these consumers opted to stay either for a great deal or to learn through your content. As an old saying goes, 20 percent of your customers produce 80 percent of your sales.

It’s important to note that big brands will be sought after first under the GDPR. Even if you are not completely compliant right away, if your company can show concrete evidence that you are working toward compliance, this will be considered before asking for a check.

Hoffman York is a full-service integrated advertising and marketing agency with experience helping brands become GDPR compliant. For more on this topic, request a digital copy of our white paper or email questions to our Chief Executive Officer, Troy Peterson, at [email protected]

Say hello.