The deadline for new stringent privacy regulations in Europe is fast approaching on May 25, 2018. But many US companies are still in the process of assuring compliance with the General Data Protection Regulation (GDPR) and some are still not sure how the new regulations impact them.
Let’s be clear. GDPR is being imposed by the European Union (EU) to protect the privacy of its citizens. However, its far-reaching nature will affect any company – even those in the US – that collects, stores and processes any personal information of an EU resident.
GDPR Basics
Under GDPR, personal information is anything that can be used to directly or indirectly identify a person including:
- Name, address and ID numbers
- IP address, cookie data, and RFID tags
- Banking details
- Email addresses
- Photos
- Posts on social networking sites
- Health, genetic, and medical data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Under the new GDPR rules, EU citizens must give explicit consent to have their personal data stored and processed. That data can also only be stored for “no longer than is necessary for the purposes for which the personal data are processed.”
Additionally, individual personal data must also be portable from one company to another. And EU residents can ask that their data be erased and companies must immediately comply. The only exceptions are other legal requirements requiring businesses to maintain specific data – like health or tax records.
The penalties for non-compliance are stiff. Failing to comply could cost a business 20 million euros or 4 percent of global annual turnover, whichever is higher. Fine are imposed by a GDPR supervisory board. The nature of those fine will be assessed based on the gravity of the infringement and whether or not steps were taken to mitigate the damage.
GDPR and the Affiliate Channel
For those leveraging the affiliate channel – whether a merchant or publisher – GDPR will have a big effect. Personalization tactics, retargeting, emails, newsletters, deals and discount alerts, as well as contextual ads, are all based on leveraging personal information. That means use, storage and processing of that data is subject to GDPR compliance.
Etailers and affiliates must also be aware that any third-party partners they work with are also directly and legally obligated to comply with GDPR. If a retailer is responsible for passing data to a third-party (such as a CRM system, a bulk mailing application, or an affiliate) they are deemed responsible for how that data will be used. Which means they could be on the hook for fines if their partners aren’t compliant.
Not Everyone is Ready
Most big global brands have GDPR compliance efforts well underway. But smaller businesses are less prepared. A December 2017 Solix Technologies survey claims 22% of businesses were still unaware that they must comply. Thirty-eight percent said the personal data they process is not protected from misuse and unauthorized access at every stage of its life cycle. Half of those surveyed expect to be fined.
Recent data from Price Waterhouse Coopers says that only about 30% of companies have begun to prepare for GDPR. And nearly 62% of US companies will spend more than $1 million preparing for GDPR. The survey also noted that 32% or the respondents said they plan to reduce their presence in the EU. While 26% said they would exit the EU.
GDPR is one the most far-reaching changes related to privacy in the last several decades and businesses will need to have a strategy for dealing with it. If not, they should be prepared to face hefty penalties that could cripple their business.