Blog

From the Trenches

GDPR is Changing Data Protection — Here’s How to Adapt

Shannon Walsh | May 17, 2018
Right Source - GDPR

For marketers, email addresses are like golden tickets to sales; as soon as you have that data, you have endless opportunities to pepper your contacts with lead-generating email communications.

But that may change — at least for residents in the European Union (EU) — based on the new General Data Protection Regulation (GDPR), new legislation designed to ensure the privacy of those residing in the 28 EU countries.

The legislation will change the way you communicate with and handle the personal information of EU residents within data processors, like Google Analytics. To make sure you’re ready when the legislation goes into effect on May 25, 2018, make sure you take these four steps.

1. Understand how GDPR will change the way you handle communication and data storage.

Based on the legislation, companies cannot send EU residents electronic communications (ELC) unless recipients have opted in to receive them (although some exceptions apply, such as transactional emails to customers). Data processors are responsible for maintaining proof of opt-in and unsubscribe requests.

What does this mean for companies that want to send electronic communications to prospects and customers?

  • Companies must provide clear requirements and instructions for opt-in and unsubscribe requests. The way you request an opt-in (e.g., a checkbox) must be accompanied by an easy-to-read statement indicating how the person’s data will be used. In addition, all ELCs must contain a way for recipients to opt out of future communications. Privacy policies must be easy to read, easy to understand, and easily accessible on websites and in emails.
  • EU residents now have additional rights. Residents now have the right to have a copy of their information delivered electronically, as well as the right to be “forgotten” — that is, to have their personal data anonymized or erased. They also have the right to be informed of any data breaches.
  • Companies cannot store personal information for longer than necessary. Data controllers and processors must only retain data for as long as needed to complete the original purpose for which it was collected.
2. Make sure you’re familiar with new Google Analytics tools that will support GDPR.

Beyond the effect GDPR will have on your email communications, it’s also spurred changes to third-party tools you may be using. For example, Google Analytics has released the following tools to assist with the adoption of GDPR.

  • Granular data retention controls allow you to manage how long your user and event data is held on Google servers. These settings will not affect reports based on aggregated data. (If you are a Google Analytics administrator, you should review data retention settings and modify them as needed for each property you use in your suite.)
  • User deletion tool allows you to manage the deletion of all data associated with an individual user (e.g., site visitor) from your properties.
  • New features for safeguarding data provide options for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization.
3. Review and accept Google Analytics’ new data processing terms.

In Google Analytics and Analytics 360, Google operates as a processor of personal data. Based on that designation, Google has started rolling out updates to contractual terms for these products. The new GDPR terms will supplement your current contract with Google and will come into effect on May 25, 2018.

For Google Analytics clients based outside the European Economic Area (EEA) and all Analytics 360 customers, the updated data processing terms are available to review and accept in your accounts.

  • Google Analytics/Analytics 360: Admin > Account > Account Settings (scroll to bottom of page)
  • Google Optimize/Optimize 360: Edit Account Details > (scroll to bottom of page)
  • Google Tag Manager/Tag Manager 360: Account Settings > (scroll to bottom of page)
  • Google Attribution/Attribution 360: Admin > Account Settings > (scroll to bottom of page)
  • Google Data Studio: User Settings > Account and Privacy (acceptance managed on a user basis)

To receive GDPR compliance notifications, you must provide your legal entity and contact details.

  • For Analytics, Optimize, Tag Manager and Attribution, go to Organization Settings > Data Processing Amendment – Details
  • In Data Studio, go to User Settings > Account and Privacy

Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU user consent policy. These updates delineate your responsibilities for making disclosures to and obtaining consent from end users of your sites and apps in the EEA.

Even if you are not based in the EEA, you must review and accept the processing terms. Work together with your legal department or advisors to determine whether your business will be in scope of the GDPR when using Google Analytics tools.

To learn more about Google’s data privacy policies and approach, or to view the data processing terms, visit privacy.google.com/businesses.

4. Check with other data processors that may have made changes.

Other data processors have also made changes, including Act-On, HubSpot, and Marketo. Consult all your currently contracted data processors to determine if they’ve made changes in privacy policies, terms of use, data retention, and features the product/service is putting in place to comply with the legislation.

Email marketing communications aren’t going anywhere — but there are some significant changes to be aware of when GDPR goes into effect. If you have additional questions about how this legislation will affect your company, contact us.

 

Disclaimer: This information does not indicate legal advice. Right Source Marketing encourages all organizations to seek advice from legal counsel regarding GDPR legislation and the steps they should take to comply.

Related Posts: