General Data Protection Regulation (GDPR) is the beast of all beasts when it comes to data security and compliance. The regulation goes into full effect on May 25th, 2018 and affects marketers and businesses that manage the data of Europe Union (EU) residents.
What does this mean for today’s US-based marketers? For a vast number of companies that do business in Europe, there is no easy button–you’ll need to develop a full fledged GDPR strategy.
For a small majority of organizations who only do business in the U.S, you might consider adopting a GDPR Blocker Strategy that reduces risk by keeping EU data out of your systems in the first place.
Read on for more details.
The GDPR Blocker Strategy
If you follow hockey or soccer, the goalie prevents (or is supposed to prevent) the puck or ball from getting into the net. No goalie is perfect so an occasional one gets by. Similar to hockey or soccer, the Blocker Strategy simplifies GDPR risk reduction by preventing EU folks from getting into your database in the first place and deals with exceptions if they occur.
It’s not for everyone. If you are doing business in the EU, most organizations require significant process and technology updates to reduce GDPR compliance risk. Sorry, no shortcuts, but read Six GDPR Questions to Get You Started for more info.
Of course, the devil is in the details but the strategy is…..block all EU folks from getting into your database and remove any existing EU records from your database. We love our EU neighbors, so we want to make sure we respect their privacy wishes set by their countrys’ leaders.
Think of this strategy like owning a nightclub. The nightclub owner doesn’t want anyone under the age of 21 in the club and puts processes in place to prevent that from happening.
Sounds a little crazy, huh? Again, this doesn’t work for the majority of organizations, but for the select few, this approach can save your organization significant time and investment for GDPR readiness.
Who Should Consider the GDPR Blocker Strategy?
Most organizations do not fall into these categories, but the below organizations will want to consider the GDPR Blocker Strategy.
1) US-based organizations/Your business does not do business in the EU. If you don’t care about getting business from the EU, or communicating with the EU, don’t do it. In this case, the cost of doing business is actually much greater than the gain from the revenues. If EU revenues are small or that’s not your target market, it just might not be worth investing in full GDPR processes.
We had numerous clients take this approach with the Canadian Anti-Spam Law (CASL) and it worked well. Several of our current clients fall into this category for GDPR and are adopting part of this approach.
This approach will save you the time of trying to put processes in place to manage that data accordingly. The drawback is you may alienate EU folks–you’ll need to make that business decision.
2) Companies with an emergency compliance fire drill. At some point, an executive realizes the importance of GDPR compliance and demands fast compliance when you have little process in place. Or maybe your organization receives a compliance letter from authorities. Hopefully, your organization has planned in advance, but this GDPR Blocker Strategy is an approach to consider if your company falls into this category.
3) Your organization is already compliant and you just need to make some tweaks. You might be able to pull a tidbit or two out of this approach. As of this writing, I know very few (actually 0) who fall into the category. If you are, congratulations.
The Approach in Action
The disclaimer: No process is perfect and I am not a lawyer. Please consult with your attorney to make sure any GDPR approach works for your organization.
#1 Turn on the Cookie Monster
As part of GDPR, you can’t collect browsing data on web visitors without their consent. With this strategy, you’ll need a solution like Trustee that automatically identifies European visitors when they hit your site. They’ll instantly be asked for cookie permission assuming you are using tracking code.
Recital 30 Cookie Clause, . NATURAL PERSONS MAY BE ASSOCIATED WITH ONLINE IDENTIFIERS…SUCH AS INTERNET PROTOCOL ADDRESSES, COOKIE IDENTIFIERS OR OTHER IDENTIFIERS…. THIS MAY LEAVE TRACES WHICH, IN PARTICULAR WHEN COMBINED WITH UNIQUE IDENTIFIERS AND OTHER INFORMATION RECEIVED BY THE SERVERS, MAY BE USED TO CREATE PROFILES OF THE NATURAL PERSONS AND IDENTIFY THEM.
#2. Remove Any EU Records in Your Database
Besides consent requirements, GDPR has several requirements around data security. Why keep data in your system you don’t need if it poses compliance risk?
Certain GDPR regulations talk about the right to be forgotten, how long to keep someone’s data (as long as you need it), and what consent is needed to collect the data in the first place. This step kills three birds with one stone.
Here, query your systems and find anyone from EU, then delete them as keeping their data in your system increases GDPR risk. Don’t forget to take out anyone whose IP indicates they are from Europe–better safe than sorry unless you are positive they are from outside the EU.
This sounds easy but there’s a good chance you’ll have people in your database that don’t have country values. You should work with a data provider like Oceanos or Synthio to append that country data to make sure you are deleting the right people.
Again, no process is perfect, but this process will reduce risk.
#3. Get Your Forms Ready and Collect Country
Make sure to adjust every form on your website to include country. How do you know which regulation a person is subjected to unless you collect the country information?
For anyone who attempts to fill out a form from the EU, block it. Think about your form as a bouncer at a bar that doesn’t let in certain people. Obviously, you’ll want to put in some nice language so the visitor understands the position.
Example Copy: Thanks for your interest. At this time, we do not currently support requests from the European Union. Please contact 555-555-5555 for more information.
Another alternative we’ve seen is allowing recipients to sign up to receive a specific piece of content and then immediately deleting the data after getting the content. One could argue that they wanted the content and your process protected their data by deleting it right away.
This sounds like a reasonable approach but what if upon signup, that data syncs to your CRM and fires an alert to a Sales rep. Now that data starts living in other places….yep, this stuff isn’t easy.
Whatever you do, make sure to be clear about how you plan to use the data at signup.
#4. Find Other Gaps
Forms are a big way the data gets into the system but it’s not the only way. You’ll need to do an assessment of your data capture methods to make sure EU records aren’t falling through the cracks.
Remember, country needs to be collected everywhere.
For example, your sales team is most likely adding records manually into the system. You’ll need to train them not to add anyone from the EU. As a best practice, you should make sure country is included as part of a mandatory process when a record enters the system. Like a form, block anyone from a European country or auto delete it.
In another use case, many organizations rely on third-party data and APIs to bring new data into the system. You’ll need to add the same processes here to ensure EU records are not sneaking by.
#5. Auto Delete
Somehow, people make it through your form gates and through your processes. For those people, set up workflows that auto delete anyone who enters your system from EU countries.
And to be doubly safe, create nightly batch campaigns that do the same.
Of course, there are caveats which is why you want to the consult with your attorney – there might be another regulation that says the data can’t be deleted for a certain amount of time (e.g. finance, legal claims). Or you may need to prove that you deleted it (don’t even get me started on this catch 22).
#6. Document your Processes
Fortunately, you really don’t have a lot to document because your processes are so simple in terms of GDPR. At a minimum, get out Microsoft Word and type 2-3 pages about your GDPR strategy that you just implemented from above.
Getting GDPR compliant can take a lot of effort. If your company meets certain requirements, you should consider elements of the GDPR Blocker Strategy.
As a final reminder, we are not lawyers, so please run any plans by your attorneys to ensure the compliance policy matches your risk tolerance.
If you need some help, give us a call as we develop these policies regularly.