During the recent webinar hosted by the International Association of Privacy Professionals (IAPP) and sponsored by Gigya, the engaging presentations and discussion made the hour fly by. As a result, we were unable to answer all of the audience questions regarding the European Union’s General Data Protection Regulation (GDPR) during the Q&A session.
Luckily, we were able to record the questions so we could answer them here. Interestingly, many of them could be grouped into themes, which indicates many people have questions about similar GDPR preparation topics.
Below are the top three themes from the webinar Q&A and my responses.
By the way An actual lawyer is asking me to note that the following answers should not be viewed as legal advice. If you have any questions about the GDPR or your company’s responsibilities under the regulation, you should consult with a legal expert.
Theme 1: “Is my company beholden to GDPR requirements?”
Many audience members had questions to determine whether or not the GDPR would apply to their companies. Some were B2B businesses. Others employed less than 250 people. And many were U.S. businesses who do not sell products or services in the EU.
While there are many qualifications to the scope of GDPR applicability, the rule of thumb goes:
If you serve even a single customer in Europe, you must now maintain proof of how, when, where and why you collect and process their personal data.
This includes customer, supplier, partner and employee personal data. And it’s important to note that the GDPR’s definition of personal data covers a wider range of information than the commonly-known definition of personally identifiable information (PII).
It’s also important to note that no financial transaction needs to occur. If you localize your website content to an EU member state and that website cookies visitors, your company is responsible to manage the data in accordance with the GDPR even if the visitors don’t create accounts or make purchases from the site.
You may not be subject to all the GDPR provisions. Companies with fewer than 250 employees, are exempted from certain data processing responsibilities. But it’s safe to say that if you do business with anyone in the EU, you have GDPR compliance responsibilities.
Theme 2: “How will GDPR requirements affect the customer experience?”
This is an important theme because the regulation requires businesses to provide consumers (referred to therein as “data subjects”) access to several data protection rights. It also requires businesses to request new consent to terms of service and privacy policies any time there’s an update.
Now, with GDPR enforcement just weeks away, companies are trying to figure out how to provide the required access and consent requests without negative impacts to their customers’ experiences. Specifically, many businesses are concerned their customers may get “consent fatigue” as a result of the GDPR.
I definitely agree there’s a balance to strike on this issue. Yet as we learned in the webinar, people in the EU member states will be educated on their new GDPR-based rights. That means they’ll be expecting more engagements concerning their communication preferences and consent.
In addition, research shows that consumers will trust brands more if there’s transparency in the relationship about how personal data is collected, used and processed.
This does not mean consumers want to be peppered with preference and consent requests. It means they want control of their data. The businesses that can offer consumers this control in intuitive ways will not only comply with the GDPR but also strengthen their customer relationships.
Theme 3: “How will the GDPR affect the future?”
Many audience members wanted to know about the GDPR’s impact on the future of both business and other data protection regulations.
While I don’t have a crystal ball, I do have a couple of pertinent thoughts on the topic:
- Businesses in the UK will be subject to GDPR during the Brexit process, after which the Information Commissioner’s Office has set expectations that whatever replaces the law will be “essentially equivalent”.
- This evolving data privacy landscape puts a major emphasis on solution agility. Companies don’t just need a GDPR compliance solution; they need a profile data, consent and preference management solution that can respond to multiple regulations in multiple regions. This solution must also support data localization and automated updates and customization capabilities to adapt to regulations as their requirements change.
For More Information
If you’re looking for more GDPR preparation information, register here for our upcoming webinar: GDPR Essentials Every Marketing Leader Should Know.
You’ll get key insights on customer demand and GDPR compliance solutions. You’ll also learn how other companies are implementing consent and preference management solutions to address GDPR compliance.
By Jason Rose