Starting this May, any U.S. marketer targeting customers in the European Union (EU) countries must navigate a changed data landscape thanks to the new General Data Protection Regulation (GDPR). It doesn't matter if the brand, marketer or data processor is based in the U.S.; strict compliance is mandatory. And shrugging off new data rules is a very costly mistake. Noncompliance can mean a fine equal to 4% of global annual revenue! The regulation's intended purpose is protection of non-anonymized personal data, and compliance is required of any company (or organization) that stores or processes that personal information about individuals ("data subjects"), who are defined as European citizens residing in an EU state. The protected personal data includes: Name, address, and phone number; IP address and cookies; racial identity; religion and religious affiliation; health and genetic data; biometric data; and sexual orientation and gender preference. GDPR's regulated "data controllers," who determine data processing, or "data processors," who handle data on behalf of data controllers, must respect key rights with regard to personal information. For example, there is an individual's right to access, to knowing what personal data has been collected and how that data has been processed. There is a right to accuracy, and restriction of data processing in the case of inaccuracy. There is a right to "freely given" and "explicit" consent for processing and storage of personal data. Plus, consent may not be regarded as "freely given" where performance of a contract is made conditional on consent, or is unnecessary to performance of a contract. The data subject also has the right to data portability, meaning the ability to request and receive personal data in a format easily transferred to another data controller. Finally, there is erasure or "a right to be forgotten," which allows individuals to withdraw their consent for data use or storage and demand that personal data be erased and no longer processed. Not sure it applies to you, direct marketer? Consider this GDPR wording: "Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge." In terms of strategic response, 64% of executives at U.S. corporations reported that their top strategy for reducing GDPR exposure is centralization of data centers in Europe, according to a report released by PricewaterhouseCoopers (PwC). Just over half (54%) told PwC they plan to anonymize European personal data to reduce exposure. A significant minority are cutting European efforts, with 32% of respondents planning to reduce their presence in Europe, and 26% intending to completely exit the EU market. For more, see our website blog post: http://www.acculistusa.com/u-s-marketers-in-europe-wrestle-gdpr-data-compliance/
