Understand what GDPR is and how it affects US companies.
- Take the 3-Question Test to see if it really applies to you
- Follow a 4-part framework for updating your privacy policy
- Learn why your CRM may be a problem
- Get a full checklist on how to become compliant today
3. Protection
Protect personal data
& strengthen privacy
rights of EU individuals
Control
Give users control
over their data
Goals of EU’s General Data Protection Regulation
GOALS
4. Protection
• Lawfulness, Fairness, and Transparency
• Purpose Limitation
• Data Minimization
Principles of EU’s General Data Protection Regulation
Control
• Accuracy
• Storage Limitation
• Integrity and Confidentiality
• Accountability (as controller)
PRINCIPLES
5. Stakeholders of GDPR
An individual person, resident
of European Union countries,
the subject of the personal
data.
Data Subject
Subject (company, institution…)
processing a data on behalf
of the controller e.g. Google,
Facebook, CRM app…
Data Processor
Person appointed by the Data
Controller responsible for
overseeing data protection
practices.
Data Protection Officer
Public institution monitoring
implementation of the
regulations in the specific EU
member country.
Data Authority
Institution, business or a person
processing the personal data
e.g. e-commerce website.
Data Controller
6. Who is affected by GDPR?
All businesses
collecting or
holding personal
data on EU citizens.
No matter where
they reside!
7. 3 Question Test – Does GDPR Apply To You?
Do you offer goods or services to someone who
lives in Europe?
Even U.S.-based, but offer goods/ services to EU resident… 1
Does your company use predictive analytics or other
“monitoring” of individuals in your marketing?
EU Residents could fall within your data, resulting in compliance needs… 2
Does your company have any U.S. citizen expats living abroad?
The regulation applies to your company if your company employs people living in
the EU. 3
8. Name
Address
Phone
Bank / Credit cards
Email address
IP address
Cookies
Online identifiers
Data to identify someone
PersonalData
Biometric data
Genetic data
Health data
Sex life, sexual orientation
The List Goes On!
SensitiveData
Types of Personal & Private Data
9. GDPR – Individual User Point of View
For individual: must be ensured
Getting consent to process personal data
Right to be forgotten
Right to modify personal data
Transparency - right for get information
what data are collected, how data are going to be used
(where stored, who will have access)
Can request data in portable format
10. GDPR – Regulator Point of View
For Regulators: have the ability to
Ask for records
Processing and Proof of Compliance
Impose temporary bans, data notifications, or order
erasure of data
Suspend cross-border data flows
Enforce penalties and fines
11. Breaking GDPR Penalties & Fines
If your data is breached:
GDPR
FINES
You must
report it within
72
hours
OR
Face a fine up to
20M € or 4%
global turnover
12. GDPR – Is There A US Equivalent Coming?
Chairman of Information Technology Subcommittee says
could be possibility with changes (Rep. Will Hurd R-TX)
White House Says Looking Forward to Working With
Congress on Data Privacy Issues
California Passes AB375 in 2018 -> Mirrors GDPR
13. What Do We Do About It?
-Why Does This Matter To Marketers?
14. Data Collection – Think About It Differently
You have to ask for permission:
No more checked boxes
User must Opt-in (and Double Opt-in to be safe)
Only ask for pertinent data for this step
Transparency
- Terms & Conditions, Privacy Policy, GDPR FAQ
Data Storage that can be accessed by Officer
16. GDPR – Company (Data Controller) View
Controller - Company processing data of EU users
Check Data Processors
Appointing DPO = Data Protection Officer
Audit data usage (what is collected, where stored…)
Monitoring data breach
72 hours to report data breach
17. Update Your Privacy Policy
If/How your use cookies and social media data
Remarketing, pixels, etc. 1
How data is obtained, where you got it, third-party usage
Who has access, where is shared, and so on 2
Storage timeframe
How long you store it, for what purpose
3
Opt-in, opt-out, and no obligation
How do they opt-out, they aren’t obligated to opt-in 4
18. Review your CRM
Your CRM has to do more:
Record how/when data was captured
Duration to be kept on file (or process to clean)
Any criteria used to purchase the list
Easy Export for Data Protection Officer
19. Rebuild the database and have them
opt-in again. Offer something in return
to get them to opt-in again for your
marketing
Re-Opt-In
Communication
Use all communication channels to
share your updates and compliance
actions.
Multiple Channels
Explain the actions taken and effective
dates of the changes
Effective Dates
Include the updated privacy policy or
pertinent documentation to help the
user understand their rights and what
you are doing to be compliant
Distribute the Privacy Policy
20. Online Tools & Apps related to GDPR
Mail collection & Mailing
• Double opt-ins
• Agreement boxes
not pre-checked
• Clear data consent
& usage statement
• Unsubscribe option
Cookie Control Banner
• Use WordPress and
other plugins
Privacy Policies
• Consult with lawyer
• Buy Templates
GDPR Tools & Applications
Data Processors
(e.g. CRM, Cloud
storage)
• See Their GDPR
statements &
features
21. GDPR Checklist
Privacy and Security
• Update Privacy Policy and share
across multiple platforms
• Confirm SSL encryption is in place
• Establish a data breach plan of action
Technical
• Make changes to web form, data
collection activities
• Update your CRM with additional
tracking and info
• Ensure customer opt-outs are
expiring according to schedule
• Ensure cookies and pixels are
disclosed in Privacy Policy and online
• Talk to subject-matter experts about
data safety and protection in place
General
• Reach out to an attorney
• Communicate with your contacts
• Designate your company’s data
protection officer (DPO)
• Cooperate with Information
Commissioner’s Office should they
reach out
• Establish a team accountable for
web, social, email, and marketing
updates
22. What Next?
1) Download Guide at blueatlasmarketing.com/GDPR
2) Reach out to Nate with specific questions and
information needed: nate@blueatlasmarketing.com,
TW:@blueatlastweet, FB:/blueatlasmarketing
3) Get Compliant!!