In the wake of data breaches affecting millions of users at Facebook and Equifax, data protection and privacy is a growing concern for consumers, businesses and legislators. The European Union’s General Data Protection Regulation, or GDPR, will be the first piece of legislation to impact data protection on a global scale.
GDPR, which goes into effect on May 25, oversees the way in which personal data from EU citizens is collected, stored and used online. It is intended to provide citizens with a better understanding and control of their online privacy as part of a ‘right to erasure’.
Does your public relations or advertising agency collect, store or use personal information for pitching, ad targeting or email marketing? You could face hefty penalties if GDPR requirements are not met. Here’s what your agency needs to know to be GDPR-ready by May 25.
We’re based in the U.S., will the GDPR affect us?
It might. If your company collects or uses personal data from EU citizens, then you must be GDPR-compliant. For example, if you collect the email addresses of UK reporters to pitch a client, then you are required to abide by GDPR practices. It’s important to note that liability is transferrable from third parties as well. This means that if your company uses personal information collected from a client or partner, it’s critical to ensure that they are GDPR-compliant as well.
What constitutes ‘personal data’?
Names, email addresses, social media posts… just about anything that can be used to identify individuals online in any way. If you have to ask, it’s best to assume that it falls under GDPR requirements.
How can my agency ensure compliance?
- Conduct an audit. Documenting your agency’s role in handling personal data is crucial to becoming GDPR-compliant. This also applies to external services your company might use for data processing, such as web hosting and analytics services. An independent audit across all departments can help you prepare for next steps to becoming compliant.
- Get consent and be transparent. GDPR requires that organizations be able to prove that consent was given for data. It also prohibits the use of data for anything other than its intended given purpose. For instance, if your agency collects EU emails from a client’s opt-in form intended for newsletter subscriptions – and uses them to target Facebook users with an ad – you don’t have consent. This is why agencies should consider updating any opt-in forms, privacy policies and terms of service across all applicable marketing, advertising and media relations channels, with improved consent language.
- Purge dangerous data. If you can’t prove that consent was given for data, delete it immediately. GDPR also bans the collection of data of anyone under 16 years old, unless parental or guardian consent is given. Sensitive data, such as political opinions and religious beliefs, should also be removed, and shouldn’t be collected, unless explicit consent is given.
- Consider encrypting and backing up data. Under GDPR, EU citizens can request that your agency provide them with all personal data you may have collected from them, at any time. Depending on the sensitivity and scale of your agency’s data handling, it may be a good idea to back up that data and organize it for quick reference. GDPR also suggests that personal data be encrypted. This is not required. However, if a breach occurs and data was not encrypted, organizations are required to report the breach to data subjects.
- Educate staff and create a plan. Think of all the people within your agency who manage personal data – it’s not just the IT department. From account executives to social media interns, GDPR could affect nearly everyone you work with. Employees from the top down should be familiar with basic data protection regulations and understand the importance of compliance. Creating a data management plan that involves participation across all departments will help confirm your agency’s compliance and protect your clients’ and customers’ personal data. This plan should designate a point-of-contact, or Data Protection Officer, depending on the scale of your agency, who can be responsible for all matters related to data protection.
What are the penalties for not being compliant?
If your agency is not GDPR-compliant on and after May 25, you could face severe fines – up to 20 million euros or 4 percent of annual global turnover – whichever is higher. It is not yet clear how EU authorities will monitor and impose these fines, especially when it comes to American businesses, but it’s important to understand that they have the power to do so. So, if your agency handles the personal data of EU citizens, it’s best to err on the side of caution and act fast to become GDPR-compliant.