The new European Union regulation is valid for all companies that hold the personal data of their residents, regardless of where they are located.
GDPR is the acronym for General Data Protection Regulation (General Data Protection Regulation, in Portuguese), which is the regulation that significantly changes the obligations of companies that deal with data of people residing in the European Union. The GDPR’s intent is to increase the privacy of these individuals online.
f your company performs Digital Marketing actions and keeps the personal data of your contacts, you need to know about GDPR.
The General Data Protection Regulation (which in Portuguese means general data protection regulation) is a new regulation of the European Union that significantly changes the obligations of companies that deal with data of people who are resident in the European Union. The purpose of the change is to increase the privacy of these individuals online.
The new regulation applies to any company that processes or stores personal data of any EU resident, regardless of where it is located. In other words, even if your company is in Brazil, it must comply with the new regulations if you have personal contact details in Portugal, Spain, France or any other EU country.
But what are these personal data? The GDPR considers any data that, alone or in conjunction with other data, can be used to identify an individual. Some examples are name, physical address, email address, IP address, financial data, behavior data on web pages and other similar information.
The GDPR was approved in the EU parliament in April 2016 but comes into force on May 25, 2018.
Therefore, by that date, all companies in the world that handle data from citizens residing in the EU must comply with the new guidelines of the change.
This includes us at Resultados Digitais, you who have a Leads base, all RD Station Marketing clients, and all agencies that are part of RD’s partner program.
Nobody is free. Every company needs to comply with the new regulation.
If you are an RD Station Marketing customer, go to the post on the subject on our product blog and learn how the platform is impacted.
How can your business be impacted? 7 points to note
According to the GDPR, the primary responsibility in the eyes of the regulation are the data controllers, that is, the companies that control the Lead’s data, whether through software or not.
On the other hand, data processors, like software that process private data, must adopt technical and organizational measures so that the processing of information is carried out in a secure manner, respecting the privacy of the data subjects.
For example: Digital Results is the data controller of all Leads generated for you. These Leads are processed by RD Station Marketing, the data processor. In other words, RD is not a data controller of the Leads that customers generate through the platform, as this is the responsibility of the company that uses the software.
The example was internal to RD itself and RD Station, but as we’ve said, it’s true for any company (data controller) and any software ( data processor ).
There are some points that need to be observed and probably changed in your company’s marketing actions. Let’s talk about them next:
1. Unambiguous consent
Lead’s consent to providing its data must be through a statement or affirmative action, such as behavior. Companies will no longer be able to use fine print, leave pre-selected marking fields or omit the legal text.
This means that Lead needs to be aware that their data will be captured when performing the conversion – and that they need to give that data unambiguously.
It needs to be easy for the Lead to either accept to give up their data or deny access to it, or withdraw this access once given.
2. Right of access
The Lead has the right to know if any of his personal data is being processed on a company basis, where this data is being processed and for what purpose it will be used.
He is also entitled to access any and all data that the company holds about him, which must be delivered in electronic format and free of charge, upon request.
3. Data portability
In addition to having the right to access and claim their personal data, the individual gains the right to make the portability of this data — that is, to move this data to a system other than that of the company that collected it, without losing the information.
4. Right to delete data
Lead earns the right to have their data permanently deleted from their database if they so wish.
He is also entitled to prevent his company from continuing to disseminate this data and the data from being processed by third parties.
5. Notification of system violation
If the company, for any reason, has a data breach, and the data is stolen, exposed or becomes vulnerable, it is obligated to notify individuals whose information has been affected within 72 hours of discovery of the breach.
This is valid for both processors and data controllers, under risk of fines.
6. Privacy by design
The concept of privacy from conception establishes that the development of a system and the business practices to bring it to the market must be guided by the concepts of data protection and privacy of its users.
This means that when creating new products or developing new features, you must always keep in mind the points placed in the GDPR.
7. Responsible for data protection
If the company conducts activities that require regular monitoring of personal data on a large scale, it needs to have a professional responsible for protecting that data, someone, who is familiar with standards and good practices.
And the GDPR fine?
Now you may be asking yourself: what if my company is not GDPR compliant? What will happen?
The penalty for companies that do not comply with the regulation can reach 4% of the company’s global annual revenue or 20 million euros – whichever is greater. This maximum amount exceeds 80 million reais and is imposed on companies that violate the main points of the regulation, such as not asking for the Lead’s consent or violating the principles of privacy by design.
To recap, we’ve shared below some quick actions you can take to make your company’s Digital Marketing actions comply with the GDPR standards.
- Change your Landing Pages, making it clearer the purpose for which they are capturing each of your personal data;
- Permanently delete data from a Lead if he wishes;
- Send all data stored about the Lead if requested by it;
What are the next steps?
Certainly, changes will be needed — not just in the area of marketing — in companies around the world.
To better understand how your company will need to adapt, the regulation’s official website (in English) talks about the main points of change. To read the entire regiment, on the Eurlex website it is possible to access the final text in Portuguese.
Remember that, more than ever, it’s time to review how you interact with your base. Sending emails relevant to a selected segmentation is one of the ways to ensure that you’re delivering to Leads only what they want, and not using your data to bother them and fill their SPAM boxes — guarantee that, by the way, it’s one of the big ones GDPR goals.